The vulnerability is a missing authorization flaw in the Phil Age Gate WordPress plugin that allows users to access functions that are not properly restricted by access control lists. This flaw could enable an attacker to use any protected feature of the plugin without proper permission, potentially exposing sensitive data or altering site behavior. The weakness is an instance of CWE-862, a classic broken access control issue.

The affected product is the Age Gate WordPress plugin from Phil, version 3.5.4 and earlier. Any WordPress installation using this plugin version is vulnerable. The original defect description indicates that all releases up to and including 3.5.4 are impacted; newer releases thereafter are assumed to be fixed.

The CVSS base score of 5.3 indicates moderate risk. The EPSS score of less than 1 percent suggests that exploitation is unlikely but not impossible; however the plugin is widely used by WordPress sites which may increase exposure. The vulnerability is not listed in the CISA KEV catalog. Because the flaw involves improper enforcement of ACLs, the most probable entry point is a WordPress user with access to the Age Gate plugin’s administrative functions; based on the description, it is inferred that an attacker with any authenticated WordPress role could try to call the restricted endpoints directly. No additional prerequisites such as system configuration are mentioned and the damage would be limited to the plugin’s scope, but it could allow unauthorized data retrieval or manipulation.