The flaw is a missing authorization that allows exploitation of incorrectly configured access control security levels within the Bulk Menu Edit plugin. Because of this weakness, an attacker with the ability to interact with the plugin can modify menu items or misconfigure the site’s navigation structure, undermining the integrity of the site. The weakness is classified as CWE‑862, reflecting an authorization flaw that permits unauthorized access or modifications.

The vulnerability affects the M.Code Bulk Menu Edit plugin, specifically all released versions up to and including 1.3. The affected artifact is the WordPress plugin that provides bulk editing of navigational menus. No specific WordPress core versions are mentioned, so any site running the affected plugin version is potentially vulnerable.

The CVSS score of 7.1 indicates a high severity, and the EPSS score of less than 1 % suggests that active exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is through the plugin’s user interface, which requires a user with role permissions that allow menu editing. An attacker could gain unauthorized influence over the menu structure without needing elevated privileges beyond those granted to the affected role.