The vulnerability resides in the update_popup_status() function of the ZoloBlocks WordPress plugin, where a capability check is omitted. As a result, any user who can submit requests to the plugin can toggle pop‑up settings without authentication. This flaw—classified as a missing authorization (CWE‑862)—permits attackers to enable or disable pop‑ups on the site, potentially disrupting user experience and undermining trust in site functionality. While it does not expose private data or allow code execution, the ability to alter site configuration constitutes a significant impact on the integrity of the application.

All installations of the bdthemes ZoloBlocks Gutenberg Block Editor Plugin for WordPress with a version numbering of 2.3.11 or earlier are affected. The plugin is typically used to add advanced blocks, dynamic content, templates, and patterns to WordPress sites. The flaw is present in all versions up to and including 2.3.11.

Based on the description, it is inferred that the attack vector is likely unauthenticated over the network, as the missing capability check allows anyone to craft a request to the update_popup_status() endpoint. The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further implying limited or no documented exploitation. Because no authentication is required, attackers can exploit the flaw without credentials, but the plugin’s web interface must be publicly accessible for the exploit to succeed.