The vulnerability is a missing authorization flaw in the WordPress Setup Default Featured Image plugin. It exposes incorrectly configured access control settings, allowing users to bypass expected permissions. An attacker could use this to view or modify plugin settings, potentially including image defaults that affect site appearance and future uploads. While the flaw does not enable remote code execution on its own, granting unauthorized control over a plugin can let a malicious actor further manipulate a site’s content or configuration, raising confidentiality and integrity risks.

The issue affects the Theme Funda Setup Default Featured Image plugin for WordPress versions up to and including 1.2. WordPress sites that have installed any version n/a through 1.2, with this plugin enabled, are vulnerable.

The CVSS score of 6.5 reflects moderate severity with potential for privilege escalation. The EPSS score of less than 1% indicates a low likelihood of exploitation at the time of this analysis, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is via the WordPress administration interface, where users with lower privileges may be able to access plugin settings that should be restricted to administrators. Exploitation would require a user to navigate to the plugin configuration page, but no authenticated checks are enforced, so an attacker could achieve unauthorized access or configuration changes.