Missing authorization checks in Aldo Latino PrivateContent allow an authenticated user with the Subscriber role or lower to bypass protected content restrictions and view or modify material that should be restricted. The flaw is a classic broken access control vulnerability (CWE‑862). The consequence is a confidentiality compromise of subscriber‑only content and potentially sensitive business information; any single compromised user can access the entire site’s protected sections.

Any WordPress site that uses Aldo Latino PrivateContent plugin version 8.11.5 or earlier is affected. The flaw exists in all releases from the first available version up to and including 8.11.5. Administrators should check the installed version and upgrade if required.

The CVSS score of 8.3 indicates a high severity due to the wide impact on confidentiality and the simplicity of exploitation. The EPSS score of less than 1% shows that exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated request to a content‑delivery endpoint that fails to enforce role checks; any user registered as a Subscriber or lower can exploit the flaw by accessing protected pages. Because a non‑administrator account can trigger the issue, the required credentials are minimal. Although the exploitation probability is low at present, the high severity warrants immediate action.