This vulnerability is a missing authorization flaw in the tamlyn Database Sync plugin for WordPress. The flaw allows an attacker who can reach the plugin’s API endpoints to bypass normal access controls and obtain confidential data that belongs to the site’s database. The weakness is identified as CWE-862: Authorization Bypass Through User‑Controlled Key. This can lead to unauthorized disclosure of sensitive information stored in the database such as user credentials, configuration settings, or other proprietary data.

WordPress sites that have installed tamlyn Database Sync version 0.5.1 or earlier are affected. The vulnerability applies to all builds from the initial release through and including 0.5.1, which is listed as vulnerable by the CNA.

The CVSS score of 6.5 places the vulnerability in the medium severity range, while the EPSS score of less than 1% indicates a very low probability of exploitation at the present time. The vulnerability is not listed in the CISA KEV catalog and therefore there are no publicly known exploits that have been confirmed. The likely attack vector is a remote web-based request against the plugin’s exposed endpoints, which an attacker could exploit if the site or network does not properly restrict access to those URLs. Due to the combination of moderate severity and low exploit likelihood, the risk is moderate but should still be mitigated promptly to prevent potential data leakage.