The vulnerability is a Cross‑Site Request Forgery flaw in the Oik plugin for WordPress, affecting all releases up to and including 4.15.2. It stems from the plugin’s failure to verify that requests are intentionally originated by the authenticated user, allowing an attacker to cause the user to perform unwanted actions such as changing settings or posting content. The weakness is identified by CWE‑352 and is scored with a CVSS of 4.3, indicating a moderate impact primarily on integrity and potentially on availability if the attacker can delete or modify critical data.

WordPress sites that have the Oik plugin (bobbingwide) installed in any version through 4.15.2 are impacted. The vulnerability applies to all installations of the plugin prior to that version; any site using an unpatched release is potentially exposed.

The EPSS score of less than 1% suggests that the likelihood of exploitation is low and the vulnerability is not currently listed in CISA's KEV catalog. The most probable attack vector is a web-based request that a logged‑in user unknowingly sends, such as clicking a malicious link or submitting a forged form. Attacker exploitation requires the victim to be authenticated to create state‑changing requests; no remote code execution or privilege escalation is possible from the described flaw.