This vulnerability is a missing authorization flaw that allows an unauthenticated user to invoke functions in the FRESHFACE Fresh Framework WordPress plugin that are normally protected by access control lists. The result is that a malicious actor can access, modify, or create resources within the plugin without being logged in, potentially compromising the confidentiality, integrity, or availability of the WordPress site. The weakness is a classic example of broken access control (CWE-862).

The Fresh Framework plugin for WordPress, from the earliest known version up to and including 1.70.0, is affected. Administrators using any of these releases should verify the installed version and plan to upgrade.

The CVSS score of 8.6 indicates high severity, and the EPSS score of less than 1% shows a low but non-zero exploitation probability. The description notes that the flaw is unauthenticated, which implies that an attacker can not require prior credentials; however, the exact method of exploitation (e.g., remote HTTP request) is not explicitly stated. It is inferred that the attack vector is remote via crafted HTTP requests to the plugin’s endpoints. Because the flaw is unauthenticated, an adversary can exploit it remotely by simply sending crafted HTTP requests to the plugin’s endpoints; no privileges are required. The vulnerability is not listed in the CISA KEV catalog, but the combination of high severity and the potential for widespread impact warrants prompt remediation.