The vulnerability is a missing authorization flaw that allows an attacker to invoke plugin operations without proper permission. The flaw stems from incorrectly configured access control security levels, enabling manipulation or retrieval of comment data. This weakness aligns with CWE‑862, signifying that the plugin fails to enforce required access checks.

The affected software is FolioVision FV Thoughtful Comments, with all releases up to and including version 0.3.5. WordPress sites that have installed any of these versions are at risk if the plugin’s access controls are not overridden elsewhere by site configuration.

The CVSS score of 4.3 indicates moderate impact severity. EPSS suggests a very low but nonzero probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the WordPress web interface, where an unauthenticated or low‑privilege user could submit requests to the plugin’s endpoints and gain elevated capabilities. Exploitation requires the plugin to be active and exposed, but no additional software or network configuration is mandated by the description.