The SP Blog Designer plugin contains a missing authorization check that permits arbitrary shortcodes to be executed by users who should not have that capability. This flaw stems from incorrectly configured access control security levels and is classified as CWE‑862. It is inferred that such arbitrary shortcode execution could allow an attacker to run unintended plugin code, potentially affecting the confidentiality and integrity of the WordPress site content, and may lead to remote code execution if the plugin processes shortcodes unsafely.

The vulnerable component is the WordPress SP Blog Designer plugin from Softpulse Infotech. Versions released up to and including 1.0.0 are affected. No later releases have been identified as vulnerable, and the issue does not apply to earlier versions where the control was properly enforced.

The CVSS score of 4.8 indicates moderate severity, while the EPSS score of less than 1 percent denotes a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. It is inferred that the likely attack vector involves an attacker exploiting the missing authorization by inserting malicious shortcodes through a crafted request or by taking advantage of administrative privileges that are improperly restricted. Successful exploitation would allow the attacker to influence the execution of plugin code and potentially compromise site data.