A missing authorization check in the WordPress ts‑tree plugin enables an attacker to delete content arbitrarily. The weakness lies in incorrectly configured access control security levels, allowing the flaw to be exploited when a user has the ability to interact with the plugin’s functionality. While the description does not detail the exact trigger, the inferred attack vector is that an authenticated or remote user with sufficient privileges to invoke the plugin can execute delete operations on any content item. The consequence is the loss of legitimate content, potentially harming website integrity and business continuity.

WordPress installations that include the ts‑tree plugin version 0.1.1 or earlier are impacted. This includes any site where the plugin is installed under the tsecher:ts-tree package, regardless of the WordPress version, as the flaw exists across all releases up to and including 0.1.1.

The CVSS score of 6.5 indicates a moderate severity vulnerability, but the EPSS score of less than 1% suggests that exploit attempts in the wild are unlikely at present. Because this issue is not listed in the CISA KEV catalog, there is no known large‑scale exploitation campaign targeting it. Nonetheless, the risk lies primarily in the potential for data loss rather than in privilege escalation or external compromise. An attacker could achieve deletion without needing privileged system access, making the flaw attractive in scenarios where users have some level of access to the WordPress admin interface and the plugin’s features.