Wordpress is vulnerable to cross-site request forgery (CSRF) attacks. The attacks can be launched because wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php have flaws, allowing the widget-access action requests to be hijacked by the attackers.