The Guardian News Feed plugin for WordPress suffers from a Cross‑Site Request Forgery vulnerability caused by the absence of nonce validation in its settings update routine. An unauthenticated attacker can trick a site administrator into performing a benign action, such as clicking a link, that triggers a forged request to the plugin’s settings endpoint. The resulting request modifies the plugin’s configuration, including the Guardian API key, without the administrator’s explicit permission. This flaw is classified as CWE-352 and permits unauthorized configuration changes that may expose sensitive credentials and allow the attacker to change the behavior of the feed integration.

WordPress installations running openplatform’s "The Guardian News Feed" plugin version 1.2 or earlier are affected. All releases up to and including 1.2 lack the necessary CSRF protection, so any site using these versions is vulnerable unless the plugin is upgraded or the not‑authorized settings endpoint is disabled.

With a CVSS score of 4.3 the vulnerability is rated as moderate, and the EPSS score of less than 1 % indicates a low likelihood of widespread exploitation at present. The flaw is not cataloged in the CISA KEV list, reflecting its limited exploitation history. Exploitation requires user interaction: the attacker must entice an administrator to perform a pre‑determined action, such as clicking a malicious link. While the vulnerability does not grant direct access to privileged functions beyond configuration changes, tampering with the API key could facilitate further compromise by allowing the attacker to impersonate the site in requests to the Guardian data service. The overall risk thus hinges on the likelihood of a successful social‑engineering campaign against site administrators.