A CSRF weakness exists in the Burst Statistics plug‑in that permits an attacker to cause authenticated WordPress users to perform privileged actions without their knowledge. The plug‑in fails to validate the origin of state‑changing requests, so an attacker can embed a malicious request in a website and trick a logged‑in user into sending that request. This vulnerability is cataloged as CWE‑352 and can lead to unauthorized configuration changes if the underlying administrative actions are not protected.

Burst Statistics B.V. offers the Burst Statistics WordPress plug‑in. All versions up to and including 2.0.6 are affected; no later releases have been identified as vulnerable.

The CVSS score of 4.3 indicates moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need a target user who is logged into WordPress with sufficient privileges and a malicious site to host the forged request – the likely attack vector is a traditional CSRF flow from an untrusted page. Based on the description, it is inferred that exploitation requires the victim to visit a page containing the forged request while maintaining a valid session.