The vulnerability in the WP Journal plugin stems from a missing authorization check that leads to broken access control. An attacker who can use the plugin’s interface could read or modify configuration settings beyond their intended permissions. This flaw aligns with CWE-862, which describes unauthorized access to resources. The impact includes potential data exposure or tampering with the plugin’s configuration, which could change how the content is displayed or managed on the WordPress site.

WordPress sites deploying the WP Journal plugin version 1.1 or earlier are affected. Owners of any WordPress installation that has not yet upgraded beyond 1.1 should review the plugin’s presence. The fault exists in every instance of the mediabeta:WP Journal product that satisfies the <=1.1 version range.

Based on the description, it is inferred that attackers would need to gain some level of access to the WordPress site, such as a compromised user account or an exposed admin interface, and then use that access to exploit the plugin’s insufficient ACL checks. The CVSS score of 6.5 indicates a moderate security risk, and the EPSS score of less than 1% suggests that exploitation is currently unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is site-level access or compromising a user account, which limits its impact to unauthorized configuration changes.