The vulnerability is a missing authorization flaw that allows attackers to bypass the intended access controls of the Think201 Clients WordPress plugin. Without proper checks, an attacker could invoke privileged functions or retrieve sensitive data that should be protected. This weakness stems from incorrect configuration of security levels, enabling non‑privileged users to perform actions normally reserved for authorized personnel. The primary impact is the exposure of confidential information or modification of the site’s data integrity.

WordPress sites that have installed the Think201 Clients plugin in any version up to and including 1.1.4 are affected. The issue is specific to the plugin’s access control layer and does not extend to the core WordPress installation or other plugins unless they rely on this plugin’s compromised functionality.

The CVSS base score of 6.4 indicates a moderate severity, and the EPSS score of less than 1 percent suggests a very low probability of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation would likely occur via standard HTTP requests to the plugin’s admin or front‑end endpoints, requiring the attacker to have network access to the WordPress site. Authoritative knowledge of the plugin’s internal endpoints and the intellectual property of the plugin’s APIs would further enable an attacker to craft malicious requests.