The Fastly WordPress plugin contains a CSRF vulnerability that allows an attacker to force an authenticated user to perform unintended actions without their knowledge. The weakness is identified as CWE‑352, a classic CSRF flaw. Because the vulnerability relies on the victim’s authenticated session, it does not expose credentials or data directly, but it can lead to unauthorized administrative changes or other actions executed in the attacker’s context. The impact is restricted to sessions that are active at the time of the malicious request and does not compromise the core WordPress installation.

Fastly provided the WordPress Fastly plugin prior to version 1.2.29. Any installation of the plugin at version 1.2.28 or earlier is vulnerable. The weakness exists only in the WordPress environment where the plugin is active and does not affect the core WordPress software itself.

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1 % signals an extremely low probability of exploitation in the wild. The vulnerability is not listed in CISA KEV. An attacker would need to lure a logged‑in user to a crafted URL or HTML payload; the likelihood of spontaneous exploitation is low, but the risk is present if users are frequently exposed to untrusted input.