This vulnerability is a missing authorization flaw in the WordPress Graphs & Charts graph-lite plugin that allows an attacker to exploit incorrectly configured access control security levels. The flaw is identified as CWE-862 and enables unauthorized operations against the plugin’s administration features, potentially permitting malicious users to create, edit, or delete charts and access sensitive data managed by the plugin.

The plugin is released by wptasker under the name WordPress Graphs & Charts and is compatible with WordPress websites. All versions up to and including 2.0.8 are affected, meaning any site that has installed graph-lite version 2.0.8 or earlier is vulnerable.

The vulnerability carries a CVSS score of 5.4, representing a moderate severity. The EPSS score is indicated as < 1%, suggesting that the likelihood of exploitation at this time is low, and the vulnerability is not currently listed in the CISA KEV catalog. Likely exploitation would occur through the web interface of a WordPress site that has the plugin installed and active, where a user with insufficient privileges could access administrative functions related to the plugin. If an attacker can authenticate to the site or exploit another vulnerability to obtain valid credentials, the missing authorization check in graph-lite would allow them to perform actions that should be restricted to administrators.