The flaw is a classic CSRF vulnerability (CWE‑352) that allows an attacker to trick a logged‑in user into sending a malicious request to the WordPress site. By exploiting the missing anti‑CSRF token on the Simple Keyword to Link plugin’s endpoints, an attacker could trigger edits to link keywords or other plugin settings without the user’s explicit consent, potentially disrupting site content or redirecting traffic for malicious purposes.

The vulnerability exists in all released builds of the Simple Keyword to Link WordPress plugin published by Alessandro Piconi, from the very first version through version 1.5 inclusive. All installations running any of these versions are susceptible.

The calculated CVSS score of 5.4 places the issue in the moderate range, reflecting the need for user authentication and a valid session to carry out the attack. The EPSS score of less than 1% indicates a very low probability of real‑world exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely attempt the exploit by enticing an authenticated administrator to visit a crafted link or form, or by luring users to websites that automatically submit the malicious request. Maintenance of a low exploitation probability does not reduce the need for remediation, especially given the potential for administrative privilege abuse.