The Password Policy Manager | Password Manager plugin for WordPress contains a missing capability check on the 'moppm_ajax' AJAX endpoint in versions up to and including 2.0.5. This flaw is categorized as a CWE‑862 missing authorization problem. It permits any authenticated user with a Subscriber role or higher to trigger the endpoint, causing the site to log out of its connection to the MiniOrange authentication service. The result is an unauthorized modification of plugin data that can disrupt the authentication flow and potentially prevent users from logging in via MiniOrange after the logout occurs.

All installations of the Password Policy Manager | Password Manager plugin for WordPress in versions 2.0.5 or earlier are affected. The plugin is developed by cyberlord92 and is available through the WordPress repository. Administrators should verify the installed version and upgrade or remove the plugin if it falls within the vulnerable range.

The vulnerability has a CVSS score of 4.3, indicating moderate severity, and an EPSS score of less than 1 %, showing a very low likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. Attackers must be authenticated with at least Subscriber permissions, so the attack vector is inferred to be a local, authenticated request to the AJAX endpoint. Because of the low exploitation probability and moderate impact, the overall risk is moderate but still noteworthy for maintaining authentication integrity.