The PluginOps Top Bar plugin contains a missing authorization flaw that allows an attacker to bypass the plugin’s configured security settings. The vulnerability is classified as CWE-862, indicating that access control checks are improperly enforced. As a result, an attacker who can reach the plugin’s administrative interfaces may gain unauthorized abilities that are typically reserved for privileged users, such as modifying site settings or accessing sensitive content. The official description lists the flaw as an "Incorrectly Configured Access Control Security Levels" issue. No evidence of more severe impacts, such as remote code execution, is provided in the data.

WordPress sites that have the PluginOps Top Bar (ultimate-bar) plugin installed at version 3.3 or earlier are vulnerable. The affected versions are indicated as "n/a through <= 3.3", meaning any installation that has not been upgraded beyond the 3.3 release may be impacted.

The plugin’s vulnerability has a CVSS score of 5.3, indicating a moderate risk level. The EPSS score is listed as < 1%, suggesting that exploitation is unlikely but not impossible. The flaw is not currently included in the CISA KEV catalog. The likely attack vector is a web-based request to the plugin’s administrative endpoints that rely on the plugin’s own access control logic. If an attacker can create or send a crafted request to those paths, they may circumvent the plugin’s intended restrictions. Given the lack of a publicly documented exploit and the low EPSS, the risk is moderate; however, the potential for unauthorized changes to the site still justifies remediation.