Wordapp Team’s Wordapp plugin contains a missing authorization flaw that permits attackers to bypass normal access restrictions. The vulnerability is described as an incorrectly configured access control security level, which can enable unauthorized users to observe or manipulate data and functions that should be protected. This weakness is classified as CWE‑862, which means the software fails to enforce proper permissions for critical actions.

The affected product is the Wordapp plugin for WordPress, distributed by the Wordapp Team. All installations of Wordapp from the first release up to and including version 1.7.0 are potentially vulnerable, as the issue exists in all releases up to that version, with no specific prior version that is excluded.

The CVSS score of 4.3 indicates moderate impact severity. The EPSS score is reported as less than 1%, meaning the probability of exploitation is very low at this time. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploitation. Attackers would likely need to access the WordPress administrative interface or otherwise interact with the plugin’s endpoints, so the attack vector is inferred to be web-based and requires a user to be authenticated or have some level of access to the site. The risk to an organization depends on whether the plugin is present, whether it is exposed to untrusted users, and how its settings are configured; nevertheless, patching is recommended to preclude potential misuse.