The WP STAGING Pro WordPress Backup Plugin contains a flaw where the getOutdatedPluginsRequest() function lacks a capability check, allowing anyone without authentication to invoke it. This results in an information disclosure that reveals the list of active and inactive plugins and their versions on the site. The primary impact is the accidental exposure of potentially sensitive plugin details, which could be used for reconnaissance but does not facilitate code execution or other direct attacks.

All WordPress installations that have the WP STAGING Pro plugin installed with a version number up to and including 6.1.2 are affected. The vulnerability applies regardless of the number or type of plugins present on the site; every instance of the plugin in those versions is susceptible. Sites running newer versions of the plugin are not impacted.

The CVSS score of 5.3 places this flaw in the moderate severity range, while the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an unauthenticated HTTP request to the getOutdatedPluginsRequest endpoint. Due to the missing capability check, an attacker can simply send a request to the relevant endpoint, such as /wp-admin/admin-ajax.php?action=getOutdatedPluginsRequest, from any external network to retrieve plugin information. No special privileges are required, making the attack vector straightforward for unauthenticated users.