The reported vulnerability is a missing authorization flaw in the WP Fast Total Search plugin, which allows an attacker to exploit incorrectly configured access control security levels within the plugin. This weakness, identified as CWE‑862, can lead to unauthorized disclosure or modification of data that the plugin handles, thereby compromising the confidentiality and integrity of content managed by WordPress. No information about denial of service or code execution is provided, so the impact is restricted to data access control.

The plugin affected is Epsiloncool’s WP Fast Total Search for WordPress. All releases from the earliest available version up to and including 1.78.258 are vulnerable. No specific WordPress core version is mentioned, but the plugin operates within any WordPress installation where it has been installed.

The CVSS score of 5.4 indicates a moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild today. The vulnerability is not listed in the CISA KEV catalog, which further supports a limited threat window. Attackers would most likely trigger the flaw by sending crafted HTTP requests to the plugin’s search endpoint, bypassing any role‑based checks that should normally restrict access. If the plugin is misconfigured to allow all users or visitors to invoke the search function, the missing authorization check becomes exploitable without any additional authentication.