This vulnerability is a missing authorization flaw that allows users to manipulate the Interactive Page Hierarchy plugin when access controls are incorrectly configured. The defect lets an attacker perform privileged operations such as adding, editing, or deleting page hierarchy entries without proper authentication, exposing the site to unauthorized content changes or site compromise. The weakness is classified as CWE-862, indicating a failure in access control enforcement.

The vulnerability applies to the Interactive Page Hierarchy plugin by gtekelis. Affected versions range from the first release through 1.0.1. No specific revision is pin-pointed beyond the upper bound of 1.0.1, so any version installation prior to or including that release is potentially impacted.

The CVSS score of 6.5 reflects moderate severity, while the EPSS score indicates a very low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog. Exploitation can be achieved through the WordPress admin interface by users who bypass normal role restrictions; the attack vector is inferred to be remote web-based, relying on the plugin’s exposed administrative endpoints. Because the weakness is an authorization bypass, an attacker who obtains even minimal authenticated access could leverage it to elevate privileges within the plugin scope.