The vulnerability is a missing authorization flaw in the falselight Exchange Rates WordPress plugin, which permits users to exploit incorrectly configured access control security levels. Attackers can potentially obtain or manipulate exchange rate data that should be restricted to authorized administrators, compromising the confidentiality and integrity of the plugin’s data. The weakness is a classic example of improper authorization, as indicated by CWE‑862.

The flaw affects all installations of falselight’s Exchange Rates plugin with versions up to and including 1.2.2. WordPress sites using this plugin are susceptible if they have not applied the latest version or otherwise restricted access to the plugin’s administrative interfaces.

The CVSS score of 4.3 reflects a low‑to‑moderate severity vulnerability, while the EPSS score of less than 1% indicates a very low probability of active exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Likely attack vectors involve Web‑based interactions with the plugin’s configuration pages or API endpoints, allowing an unauthenticated or minimally privileged user to gain elevated access. Given the low exploitation likelihood but potential impact on data confidentiality, patching remains the recommended course of action.