Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin Giveaways and Contests by RafflePress allows an attacker to perform state‑changing actions on behalf of an authenticated user without their consent. The flaw stems from missing or insufficient CSRF token verification when processing form submissions. An attacker can craft a malicious link or form that, if a legitimate user visits the link while authenticated, will trigger unintended modifications or actions within the contest plugin, potentially affecting the visibility or outcome of giveaways. While the vulnerability does not directly expose sensitive data, it could be leveraged to manipulate contest settings, alter participant lists, or inject new promoters, thereby undermining the integrity and trust in the platform.

The affected product is Syed Balkhi’s Giveaways and Contests by RafflePress plugin for WordPress. All installed copies of the plugin with versions n/a through 1.12.20 are vulnerable, including 1.12.20 and any earlier releases.

The CVSS score of 4.3 places the issue in the moderate range. The EPSS score of less than 1% indicates a very low probability of current exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to obtain a victim’s authenticated session to exploit the flaw, so the attack vector is inferred as remote via malicious crafted URLs or HTML forms. Given the limited exploitability and lack of public exploits, the overall threat is moderate but should be remediated promptly to prevent potential abuse.