A Cross‑Site Request Forgery flaw in Piotnet Forms version 1.0.30 and earlier allows an attacker to trick a logged‑in user into submitting a crafted request. The vulnerability can lead to unwanted form submissions, data alteration, or other actions performed with the victim’s privileges, potentially impacting the confidentiality, integrity, and availability of site data. The weakness is a classic CSRF flaw, identified as CWE‑352.

WordPress sites using the Piotnet Forms plugin from any previous release up to and including version 1.0.30 are affected. The vulnerability applies to the entire plugin codebase and any forms rendered by it.

The CVSS score of 4.3 indicates moderate impact, while the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that exploitation would typically require a malicious webpage to induce the victim to load content that submits a form on the site, which would make the attack vector web‑based and dependent on the victim’s authentication state. Because the weakness is a predictable CSRF scenario, mitigations around token verification or same‑origin restrictions are an effective strategy to reduce risk.