The vulnerability is an authentication bypass that exploits an alternate path or channel in the miniOrange Password Policy Manager plugin, allowing attackers to gain unauthenticated access to a WordPress site’s user accounts. By bypassing the normal login flow, an adversary can log in as any user, including administrators, leading to full account takeover. This flaw is classified as CWE‑288, which concerns messages or services that authenticate users or otherwise verify identity.

Affected systems are WordPress installations that include the miniOrange Password Policy Manager plugin with a version number of 2.0.4 or earlier. The flaw is present in all releases from the initial release until version 2.0.4. No other vendors or products are currently known to be impacted by this issue according to the CNA data.

The CVSS score of 8.8 indicates a high‑severity risk of unauthorized data access and control. The EPSS score of less than 1 % suggests that the likelihood of exploitation is presently low, yet the potential damage from an account takeover could be significant. The vulnerability is not listed in the CISA KEV catalog. The description claims that the plugin permits authentication abuse via an alternate path or channel. Based on the description, it is inferred that an attacker who can reach the plugin’s entry points over the web may attempt to exploit this bypass by submitting crafted requests. This inference is not backed by documented proof‑of‑concept code, so the actual exploitation feasibility remains uncertain. The path would require only the ability to contact the affected WordPress site.