The Ace Post Type Builder plugin contains a missing authorization check in the cptb_delete_custom_taxonomy() function, which allows any authenticated user with at least Subscriber privileges to delete arbitrary custom taxonomies. This flaw violates the Missing Authorization principle (CWE-862) and can lead to loss of taxonomy definitions, compromising content categorization and potentially rendering the site dysfunctional. The impact is a loss of data integrity for the affected taxonomy and any content that relies on it, although it does not provide direct code execution or disclosure of sensitive data.

The vulnerability affects all installations of Ace Post Type Builder version 1.9 and earlier, distributed by buywptemplates. Any WordPress site running those versions is vulnerable, regardless of the number of users or company size, because the flaw is present in the core plugin code and not mitigated by additional settings.

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker must be authenticated and can exploit the flaw by sending a request to the taxonomy deletion endpoint using the 'taxonomy' parameter. No additional privileges beyond Subscriber are required, so the attack path is straightforward once the attacker has a valid user session.