The vulnerability is a classic Cross‑Site Request Forgery flaw. An attacker can induce a logged‑in WordPress user to submit unintended requests to Instapage Plugin endpoints, causing state changes under the user’s credentials. The flaw only grants the attacker the permissions of the victim account; it does not allow remote code execution or broader system compromise. It is categorized as CWE‑352, indicating insufficient anti‑CSRF checks for state‑changing operations. The CVSS score of 4.3 signals a moderate risk level, while the EPSS score of <1% and absence from KEV suggest a low likelihood of active exploitation at present, though the ease of CSRF exploitation once a user is authenticated means sites should still evaluate the impact.

This issue affects installations of Instapage Plugin version 3.7.0 or earlier, supplied by the vendor instapagedev. It is typically activated within a WordPress installation and is used to embed Instapage landing pages or form elements. Any WordPress site that has not updated beyond 3.7.0 and still relies on this plugin is susceptible. The plugin’s internal request handling is the only affected component; other WordPress core components are not impacted.

The CVSS score of 4.3 reflects moderate severity, while the EPSS score of less than 1% indicates a very low probability that this vulnerability will be exploited in the wild at present. The flaw is not listed in the CISA KEV catalog, further suggesting limited threat visibility. Attackers would need to host a malicious site that the target user visits while authenticated and the plugin must have at least one state‑changing endpoint that does not enforce a CSRF token. If such conditions are met, the attacker can forge a request that executes automatically with the victim’s session cookie, potentially allowing change of plugin settings or posting of content. The lack of a high EPSS or KEV listing mitigates urgency slightly, but because the flaw is exploitable with minimal effort once an authenticated session exists, site owners should still prioritize remediation. The likely attack vector is a standard CSRF request originating from an attacker‑controlled web page targeting the vulnerable plugin endpoints.