The affected WordPress Cookiebot plugin contains a CSRF flaw that allows an attacker to forge browser requests to the plugin’s administrative endpoints. By exploiting the missing or improper token verification, a malicious actor can potentially trigger plugin actions as a logged‑in user. The vulnerability is documented for all releases up to and including version 4.5.8 and can be leveraged without additional user interaction once the victim’s authenticated session is active.

The flaw impacts the Cookiebot plugin supplied by the vendor Cookiebot. Any WordPress installation that includes Cookiebot version 4.5.8 or earlier is vulnerable. No other products or vendors are listed in the vendor‑product mapping for this CVE.

The CVSS score of 4.3 places the issue in the moderate range, while the EPSS score of less than 1% indicates a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog and therefore has no confirmed active exploits in the wild. Based on the description, the likely attack vector requires an attacker to coerce a victim’s authenticated browser into sending a forged request—typically via a malicious link or script that the plugin does not properly protect with CSRF tokens. In the absence of additional authentication or scope information, it is inferred that the vulnerability is a standard CSRF that could affect administrative actions on the site.