This vulnerability is a Missing Authorization flaw, which allows users to access functionality that is not properly protected by access controls. Affected code paths can be reached without verifying the caller’s permissions, enabling unauthorized use of the plugin’s administrative features. The weakness corresponds to CWE-862, and while it does not allow arbitrary code execution, it can lead to data tampering, configuration changes, or other unintended actions within the WordPress site.

bPlugins Button Block, a WordPress plugin, is impacted for all releases up to and including version 1.1.5. The issue applies across all operating systems and installations that use any of the affected releases; no specific OS or deployment details are provided.

The CVSS score for this issue is 4.3, indicating low severity. EPSS indicates an exploitation probability of less than 1%, and the vulnerability is not listed in the CISA KEV catalog. The attack surface is likely an authenticated or unauthenticated user who can craft requests to the plugin’s endpoints; because the lack of authorization is not limited to a particular phase, automated exploitation scripts could be built if the plugin is publicly accessible. However, the low EPSS score suggests attackers may not prioritize this flaw in the current threat landscape.