Missing authorization in the onOffice for WP‑Websites WordPress plugin lets an attacker exploit incorrectly configured access control and perform actions they should not be able to. The weakness is CWE‑862, indicating that the plugin does not enforce proper permissions for certain endpoints or functions. If an attacker can use those endpoints, they could read or modify protected data or settings, compromising confidentiality and integrity of the site.

Any WordPress installation that uses the onOffice for WP‑Websites plugin version 6.5.1 or earlier is vulnerable. The flaw applies to all releases from the earliest available version through 6.5.1, as the plugin’s access‑control checks are missing in each of those releases.

The CVSS score of 5.4 indicates moderate severity, while the EPSS score of less than 1 % suggests a low likelihood of exploitation at present. The plugin is not listed in CISA’s KEV catalog, meaning no publicly known exploitation activity. The description does not specify an exact attack path; however, based on the nature of the flaw, the likely attack vector is exploitation of the plugin’s REST or admin‑area endpoints that lack proper authorization checks. An attacker who can authenticate to the WordPress instance—whether as a legitimate user with a role incorrectly granted permissions for the protected functionality or by directly targeting the plugin’s endpoints—could use the flaw to read or change configuration settings. Because the problem stems from a missing access‑control check, any user with access to the plugin’s back‑end could potentially perform the privileged actions, making the risk proportional to the number of users who unintentionally have such access.