The missing authorization flaw in the Blocksera Cryptocurrency Widgets Pack plugin allows attackers to perform actions beyond the intended plugin permissions. Through the vulnerability an attacker could modify widget settings, create new widgets or alter existing ones, potentially exposing cryptocurrency configurations or disrupting site functionality. This flaw is classified as CWE-862, indicating an access control issue that bypasses normal permission checks.

The plugin is distributed by Blocksera under the name Cryptocurrency Widgets Pack for WordPress, and all versions up to and including 2.0.1 are affected by the flaw. It is unclear from the data which specific WordPress user roles are required to trigger the error, but any role that grants the plugin capabilities could be vulnerable.

The CVSS score of 6.5 places the vulnerability in the moderate range, while the EPSS score of less than 1% suggests that exploitation attempts are currently infrequent. The issue is not listed in the CISA KEV catalog. The likely attack vector is through a user with elevated WordPress permissions who can configure the plugin; by exploiting a misconfigured role or capability check, an attacker can bypass built‑in access controls and carry out unauthorized changes to widgets. Because the exploit requires only configuration privileges, users who manage the plugin without proper role restrictions are at greatest risk.