The vulnerability is a missing authorization flaw in the PayPal Marketing Solutions WordPress plugin that permits unauthorized users to access or modify resources that should be protected. This flaw allows attackers with insufficient privileges to potentially view or alter plugin settings, potentially exposing sensitive advertising or payment data. The weakness is an example of improper authorization (CWE‑862) and results in a moderate impact on confidentiality and integrity.

The affected product is the PayPal Marketing Solutions WordPress plugin developed by paypalmuse. All releases up to and including version 1.2 are impacted; the vulnerability exists in every version where the incorrect access control is present, regardless of release date. System administrators should verify the plugin version installed on each site and consider that any instance running a version ≤ 1.2 is susceptible.

The CVSS score of 4.3 reflects a moderate risk, and the EPSS score of <1 % indicates a very low likelihood that this flaw will be exploited in the wild at present. The vulnerability has not been listed in the CISA KEV catalog, further suggesting that it is not a known high‑profile exploit target. Attackers would likely need to target the web interface of a WordPress site that hosts the plugin and would exploit the mis‑configured authorization controls to read or change configuration data. Because the flaw is contained within the plugin, a successful exploit would be limited to the plugin’s functionality rather than the entire WordPress installation, but it still poses a risk to data that the plugin handles.