Missing Authorization in webraketen Internal Links Manager allows an attacker to override incorrectly configured access control settings, enabling unauthorized use of the plugin’s internal link management functions. This broken access control can expose hidden content, manipulate site navigation, or modify link data, potentially harming site integrity and trust. The primary weakness is identified as CWE‑862, indicating that user permissions are not properly enforced by the plugin.

The vulnerability affects the webraketen Internal Links Manager WordPress plugin for all versions up to and including 2.5.2. Any WordPress site that has installed this plugin within that version range is potentially affected. No specific distribution or platform details beyond WordPress are listed.

The CVSS score of 4.3 places the issue at a medium severity level, while the EPSS score of less than 1% suggests a very low likelihood of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves a user who has any authenticated access to the WordPress site, who can then exploit the lack of authorization checks. The exact impact for a given site depends on the roles and capabilities assigned to users, but the potential for unauthorized access to plugin features remains.