The vulnerability in the Page and Post Lister plugin is a missing authorization flaw (CWE‑862) that lets an attacker delete any content on a WordPress site. Because the plugin permits deletion operations without proper permission checks, an attacker who can reach the plugin’s delete endpoint can remove posts, pages, or custom post types, compromising data integrity and potentially disrupting site functionality.

The flaw affects Radius of Thought’s Page and Post Lister plugin for WordPress. Versions from the earliest available release through 1.2.1 are vulnerable. The issue exists in any site that has the plugin installed and configured with default or permissive access control settings.

The CVSS score of 6.5 signals a moderate severity. The EPSS score is below 1 %, indicating a low probability of widespread exploitation at the present time. The vulnerability is not listed on the CISA KEV catalog. An attacker would need to access the plugin’s administration area, and the flaw permits arbitrary content deletion regardless of the user’s actual role or capability level, implying that the attack vector is most likely authenticated but with incorrect privilege enforcement. The minimal technical barrier and the ability to cause loss of content raise the risk for sites that have public editors or other privileged roles.