The Yougler Blogger Profile Page plugin contains a Cross‑Site Request Forgery flaw that allows an unauthenticated user to submit a forged HTTP request and alter the plugin’s settings. This means an attacker who can convince a site administrator to click a malicious link can change configuration values such as layout options or social media URLs. The flaw resides in missing or incorrect nonce checks within the plugin’s backend file and grants the attacker the same privileges as the clicked administrator, potentially affecting the appearance and behavior of the site but not granting direct code execution or data exfiltration. The weakness is the classic CSRF type identified as CWE‑352, indicating insufficient request validation.

The vulnerability affects the netlatch Yougler Blogger Profile Page plugin for WordPress, versions up to and including 1.01. No specific patch release is noted in the data, but the issue applies to any installation of these versions regardless of site configuration. Site administrators using older WordPress installations or a custom theme that includes the plugin should review their plugin version promptly.

The CVSS score of 4.3 suggests a moderate level of risk. The EPSS score indicated is below 1 %, implying that automated exploitation is unlikely at present. The issue is not listed in CISA’s KEV catalog. The attack requires an active social‑engineering effort to persuade an administrator to visit a crafted URL; it does not rely on a known public exploit payload and therefore has a limited likelihood of exploitation in the wild. Nevertheless, once the attacker succeeds, they can modify plugin settings and potentially disrupt site functionality or present a compromised user interface to visitors.