Missing authorization controls in the WPC Smart Linked Products plugin likely allow a low‑privilege or unauthenticated user to perform actions that are only intended for administrators, resulting in privilege escalation. This flaw is classified as a lack of proper authentication (CWE‑862) and can lead to unauthorized configuration changes, data exposure, and potential control over the WooCommerce store interface. The vulnerability is present in all versions of the plugin up to and including 1.3.5.

The affected vendor is WPClever, and the product is the WPC Smart Linked Products – Upsells & Cross‑sells for WooCommerce plugin. All installations running version 1.3.5 or earlier are vulnerable. No other versions or product variants are known to be affected.

The CVSS score of 8.8 indicates high severity, and the EPSS score of less than 1% suggests a low probability of exploitation under current conditions, though the flaw has not been listed in the CISA KEV catalog. The attack vector is inferred to be via the plugin’s administrative interface, which is likely accessible to users who already possess some level of site access but lack the necessary privileges. Based on the description, it is inferred that attackers with even minimal rights could exploit the missing authorization check to gain elevated privileges, thereby compromising system integrity and confidentiality.