The Radio Station plugin for WordPress, versions up to 2.5.12, contains a Cross‑Site Request Forgery (CWE‑352) flaw that permits an attacker to forge requests against the plugin’s endpoints. When a user visits a malicious web page that triggers such a request, configuration or content changes could be performed without the user’s consent. The CVE description does not detail whether the vulnerability requires the victim to be logged in, so it is inferred that a logged‑in user or a user who can be induced to visit the crafted link would be necessary to execute the attack; this inference is not stated explicitly in the CVE text.

Any WordPress installation that has the Tony Zeoli Radio Station plugin installed with a version identifier of 2.5.12 or earlier is vulnerable. The affected product list provided by the CNA includes only the plugin itself; no other vendors or products are mentioned.

The CVSS base score of 4.3 classifies the flaw as moderate risk, while the EPSS score of less than 1% suggests that active exploitation is unlikely at present. Because the module exposes a CSRF endpoint, the likely attack vector is client‑side, relying on a user to follow a malicious link, but the CVE documentation does not confirm this explicitly. The vulnerability is currently not indexed in the CISA KEV catalog, and no official patch has been released; therefore the recommended approach is to eliminate the vulnerable code path until a newer plugin release becomes available.