The Add Google Social Profiles to Knowledge Graph Box plugin for WordPress contains a Cross‑Site Request Forgery vulnerability caused by the omission of nonce validation in its settings update routine. Because the plugin accepts options changes without verifying the request source, an unauthenticated attacker can craft a forged request that an administrator will unknowingly submit, allowing the attacker to modify the Knowledge Graph settings. Such a configuration change could lead to incorrect metadata being published or even injection of malicious links, compromising the integrity of published content.

Plugins deployed on WordPress sites that use omarnas’ Add Google Social Profiles to Knowledge Graph Box, version 1.0 or earlier. Any installation of the plugin with those versions is affected while an administrator has editor or admin privileges and can be tricked into clicking a malicious link.

The CVSS base score for this issue is 4.3, indicating moderate risk. EPSS information is not published and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to target a site administrator and socially engineer a click on a crafted link, which limits the scope to sites with the vulnerable plugin installed. While the attack vector is user interaction, the lack of nonce checks means any forged request can be accepted, making the exploitation straightforward once a victim is lured. The overall risk is moderate but should be mitigated promptly on affected installations.