The vulnerability in the AA Web Servant 12 Step Meeting List plugin allows an attacker to alter plugin settings without proper authorization, which can modify the way meetings are displayed or managed. The weakness, identified as CWE‑862, means that access control checks are insufficient, enabling a user with limited privileges to perform actions normally reserved for administrators. This flaw can lead to loss of configuration integrity and potential exploitation of downstream features relying on those settings.

The plugin is distributed by AA Web Servant and is vulnerable in all releases from the initial version up through version 3.16.5. WordPress sites that have any of these plugin versions installed are at risk.

The CVSS score of 6.5 indicates a moderate severity risk, and the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog, further implying it has not been observed in widespread attacks yet. Based on the description, the likely attack vector is through authenticated user access that can invoke the plugin’s settings interface; an attacker would exploit the missing authorization checks to modify settings. No specific prerequisite is described beyond access to the plugin’s settings page.