AWEOS GmbH WordPress plugin Email Notifications for Updates contains a Missing Authorization flaw that allows attackers to gain elevated privileges within the WordPress site. The vulnerability is classified as CWE-862 and can enable an attacker to perform administrative actions without proper authentication or authorization checks. The impact is the potential compromise of site administration, data, and integrity of the application.

WordPress sites using the Email Notifications for Updates plugin from any version through 1.1.6 are affected. The plugin is distributed by AWEOS GmbH and is commonly identified by the cpe string cpe:2.3:a:aweos:email_notifications_for_updates:*:*:*:*:*:*:* . Users of earlier or later versions are not impacted by this issue.

The CVSS score of 8.8 indicates a high severity rating, and the EPSS score of < 1% denotes a low likelihood of observed exploitation activity as of now. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely need to send authenticated requests that bypass the missing authorization checks, possibly by crafting URLs or form submissions that trigger privileged plugin actions. However, the exact attack path is not detailed in the supplied data, so the assessment is based on the description and normal WordPress plugin execution contexts.