Missing Authorization within the Elfsight Testimonials Slider plugin allows an attacker to bypass intended access restrictions and manipulate plugin functionality. The flaw stems from incorrectly configured access control levels, potentially enabling unauthorized users to view or modify sensitive data stored by the slider. This vulnerability can compromise confidentiality and integrity of testimonial content as well as plugin configuration, but it does not directly lead to denial of service or code execution.

Vendors and products affected include elfsight's Elfsight Testimonials Slider plugin for WordPress, specifically versions up to and including 1.0.1. Any WordPress installation that has the plugin installed at these or older versions is susceptible.

The CVSS score of 5.4 indicates a moderate severity for this access control issue. The EPSS score of less than 1% suggests that exploitation of this flaw is currently very unlikely, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is through the WordPress site’s exposed plugin interfaces or API endpoints, where an unauthenticated or improperly authenticated user could exploit the broken access checks to gain elevated permissions (inferred from the description). No special prerequisites are noted, so a malicious actor could begin the exploitation from the web interface given the plugin is active.