A CSRF flaw in the Laborator Kalium WordPress theme allows an attacker to trick an authenticated site user into performing state‑changing operations without the user’s consent. The vulnerability can be used to execute any action that requires a logged‑in user, potentially leading to unauthorized content changes or site configuration changes. Based on the supplied CVSS score of 4.3, the impact is moderate, reflecting the risk of unintended actions rather than immediate code execution.

WordPress sites that use the Laborator Kalium theme version 3.18.3 or earlier are affected. The issue cuts across all versions of the theme from its earliest release up to the specified 3.18.3 release. Any site that has not upgraded beyond this version remains vulnerable.

The EPSS score of less than 1% indicates a very low probability of exploitation in the wild, and the vulnerability is currently not listed in CISA’s KEV catalog. The most likely attack vector involves an attacker crafting a link or form that forces the victim’s browser to send a forged request to the site while the victim is authenticated. Because the flaw exploits the lack of anti‑CSRF tokens on certain theme actions, successful exploitation requires the user to be logged in and to interact with the malicious payload, which limits the window of opportunity. However, anyone possessing such a payload could potentially cause unintended changes to the site’s content or settings.