The hpb seo plugin for WordPress contains a Cross‑Site Request Forgery flaw that allows an attacker to trigger privileged actions using a victim’s authenticated session. The weakness (CWE‑352) arises from insufficient anti‑CSRF validation, and the reported issue also leads to reflected X‑SS scripting in certain circumstances. An attacker who can lure a logged‑in site administrator or other privileged user to visit a crafted URL could force the plugin to perform state‑changing operations such as modifying SEO settings or injecting malicious content, thereby compromising the integrity and confidentiality of the site’s data.

This vulnerability affects the Allegro Marketing hpb seo plugin for WordPress, versions released up to and including 3.0.1. Any deployment of those releases on a WordPress installation is potentially exposed, regardless of the WordPress core version.

The CVSS score of 7.1 indicates a moderate to high severity, while the EPSS score of less than 1% suggests the likelihood of exploitation remains low at present. However, because CSRF attacks occur via normal web traffic, the vulnerability is exploitable by unauthenticated actors who prompt a victim to visit a malicious link, or by authenticated users lacking strict CSRF safeguards. Although the vulnerability is not listed in the CISA KEV catalog yet, the potential for data integrity loss and unauthorized changes warrants prompt attention.