The vulnerability in the WP Messiah Swiss Toolkit For WP plugin allows an attacker to bypass authorization checks due to missing access‑control safeguards. Identified as a classic Broken Access Control flaw (CWE‑862), it enables attackers to access administrative functionalities, manipulate data, or perform unauthorized operations within the WordPress environment. The impact is the gain of elevated privileges or access to sensitive data.

This issue affects the WP Messiah Swiss Toolkit For WP plugin at all releases up to and including version 1.4.0. Any WordPress site that has installed this plugin with a version not newer than 1.4.0 is vulnerable.

The CVSS score of 4.3 indicates a moderate severity risk. The EPSS score of less than 1% shows that the likelihood of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. The flaw is likely exploitable through the web interface of the WordPress site, requiring either an authenticated attacker with sufficient privileges or an unauthenticated user capable of sending crafted requests to the plugin’s endpoints. Because the plugin lacks proper authorization checks, a successful trigger can allow unauthorized access to protected functions or data. Given the EPSS and KEV status, this vulnerability is not currently actively exploited, but the presence of broken access control can be leveraged by attackers to elevate privileges or access sensitive data.