The vulnerability is a missing authorization flaw in the Viral Loops WP Integration plugin that allows an attacker to exploit incorrectly configured access controls. By manipulating request parameters or accessing specific plugin endpoints, a threat actor can gain access to administrative functions or sensitive settings that should be restricted only to privileged users. The impact is elevation of privileges and potential unauthorized configuration changes, which could compromise site data or further enable other attacks.

Affected systems are WordPress sites running the Viral Loops WP Integration plugin version 3.8.1 or earlier. The plugin is published by Viralloops and is listed under the vendor name Viral Loops WP Integration. The vulnerability applies to all installations from the initial release through version 3.8.1; later versions have not been identified as affected by this flaw.

The CVSS base score of 5.3 indicates a moderate severity for missing authorization, while the EPSS score of less than 1% suggests that this vulnerability is unlikely to be actively exploited in the wild at this time. The vulnerability is not included in the CISA KEV catalog, further implying a lower exploitation risk. The likely attack vector is through web-based access to the plugin’s administrative endpoints, possibly requiring an authenticated user with limited rights or simply an unauthenticated user if certain endpoints are exposed. Without a public exploit, the risk remains moderate until the patch is applied.