This vulnerability lies in a missing authorization check that enables an attacker to bypass the configured access control levels of the sourceplay-navermap WordPress plugin. The flaw permits unauthorized exploration or manipulation of protected resources that should be available only to privileged users. The primary consequence is the potential for an attacker to gain inappropriate access to sensitive data or functionality within the WordPress site without needing any valid credentials.

The flaw affects the sourceplay-navermap plugin distributed by ldwin79 for WordPress, specifically all releases from the initial release through version 0.0.2. Users running any of these versions on a WordPress site are vulnerable, regardless of the site’s overall configuration or user base. No other WordPress components are directly mentioned as impacted.

The CVSS base score of 4.3 classifies the vulnerability as moderate, indicating that while the attack does not compromise the entire system, it can expose privileged functionalities. The EPSS score, being below 1%, suggests that the probability of real-world exploitation is low at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote and involves interacting with the plugin’s web interfaces, potentially through crafted requests that exploit the missing authorization check. No specific prerequisites beyond access to the WordPress site are stated, so normal connectivity to the site is sufficient to potentially exploit the flaw.