The vulnerability is a missing authorization flaw in the kbowson Title Experiments Free WordPress plugin. Incorrectly configured access control security levels allow an attacker to interact with functions that should be restricted to higher privilege users, potentially exposing sensitive data or compromising the site’s integrity. The weakness is classified as CWE‑862, which concerns improper authorization. Without a proper check, a malicious user could exploit these exposed endpoints to read, modify, or delete content beyond their allowed scope.

This issue affects the Title Experiments Free plugin by kbowson. All versions from the initial release up through 9.0.4 are vulnerable. No later versions are known to be impacted.

The CVSS score of 4.3 places the vulnerability in the moderate range, and the EPSS score of less than 1% indicates a very low likelihood of exploitation at the current time. The vulnerability is not listed in the CISA KEV catalog, though that does not preclude it from being targeted by malicious actors. Attackers would likely need a prior foothold or knowledge of restricted URLs; the flaw does not grant remote code execution but enables unauthorized actions within the plugin’s feature set.