The vulnerability originates from a missing capability check in the handle_module_actions function of the Ultimate Dashboard – Custom WordPress Dashboard plugin. Because this check is absent, any authenticated user with at least Subscriber‑level access can toggle the activation state of individual plugin modules. This grants the attacker the ability to change the functionality of the site, potentially enabling legacy or experimental modules, disabling critical features, or altering the user experience in ways that a site administrator might not intend. The formal weakness is classified as CWE‑862, indicating an unauthorized modification due to improper access control. The direct impact is a loss of control over which modules are active, undermining the site’s intended behavior and integrity.

The affected product is the Ultimate Dashboard – Custom WordPress Dashboard plugin developed by David Vongries. Versions up to and including 3.8.7 are vulnerable. No other products or versions are listed.

The CVSS score of 4.3 places the flaw in the moderate range, reflecting that while the attacker must be authenticated, the lack of an authorization check materially affects configuration. The EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through the authenticated WordPress interface, where a user with Subscriber or higher role can invoke the module activation endpoint. No public exploit is reported, and the exploitability is limited to sites that have not applied the latest plugin release.