The vulnerability is a Missing Authorization flaw in the Direct Checkout for WooCommerce Lite plugin up through version 1.0.3. It allows a user to access plugin functionality that should be restricted by access control lists, thereby enabling unauthorized operations or data exposure. This type of flaw is classified as CWE‑862 and signifies that the plugin’s internal security checks are insufficient or absent. The vendor description confirms that any functionality not properly constrained by ACLs can be used by attackers who trigger the vulnerable endpoints.

The affected product is the Direct Checkout for WooCommerce Lite plugin, developed by centangle. All releases from the initial version (no starting version listed) up to and including 1.0.3 are vulnerable. Users running any of these versions on a WordPress site with WooCommerce installed are at risk.

The CVSS score of 5.3 indicates a moderate severity when viewed from a technical perspective. The EPSS score of less than 1% suggests that exploitation attempts are currently rare or difficult to detect. The vulnerability is not listed in the CISA KEV catalog. Exploitation likely occurs through a normal web request to the plugin’s endpoints, implying a remote attack vector with limited prerequisites: the ability to send requests to the WordPress site. An attacker benefiting from this flaw can gain or influence restricted functionality without having elevated privileges, potentially impacting the confidentiality or integrity of the store’s checkout process.