Cross‑Site Request Forgery (CSRF) enables an attacker to submit forged HTTP requests to the WordPress installation that the Seriously Simple Podcasting plugin processes. This flaw could allow an attacker to modify podcast metadata or invoke administrative functions if the plugin does not verify the authenticity of state‑changing requests. The vulnerability is classified as CWE‑352, a failure to authenticate such requests. Based on the description, it is inferred that the attacker would need a victim who is logged into the WordPress site to execute the malicious request.

The Seriously Simple Podcasting plugin, developed by Craig Hewitt for WordPress, is affected. All versions up to and including 3.13.0 contain the flaw.

The CVSS score of 4.3 indicates moderate severity. The EPSS score of less than 1% suggests a very low likelihood of exploitation at the time of assessment, and the vulnerability is not listed in CISA’s KEV catalog. Based on common CSRF patterns, the likely attack vector involves an attacker convincing a logged‑in administrator or content manager to visit a malicious webpage that automatically submits a forged request—this inference is drawn from the nature of CSRF attacks and the plugin’s state‑changing endpoints.