A missing authorization flaw in the OTWthemes Widget Manager Light plugin allows attackers to invoke functions that should be constrained by ACLs. This vulnerability can be used to gain unauthorized control over widget settings and potentially manipulate site content or user experience. The weakness corresponds to CWE-862, where permission checks are omitted, enabling privilege escalation within the plugin’s scope.

WordPress installations running OTWthemes Widget Manager Light version 1.18 or earlier are affected. The issue applies to all builds within that range, and the plugin must be active on the site for the vulnerability to be exploitable.

The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1% indicates a very low but nonzero exploitation probability in the wild. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker must have authenticated access to the WordPress dashboard to reach the vulnerable functions, as the plugin provides administrative interfaces. With ACL checks removed, an attacker could invoke exposed functionality and modify widget behavior or content. No exploit or detailed attack vector was disclosed, so the risk assessment focuses on the plugin’s widespread deployment and the potential for privilege misuse.