The Question Answer plugin contains a missing authorization check that allows users to access functionality that should be restricted by access control lists. Because the plugin fails to validate user permissions, an attacker can exploit the exposed endpoints to perform actions normally reserved for privileged users, potentially compromising the confidentiality and integrity of the data stored in the plugin. The weakness is classified as CWE-862, which describes an access control failure.

WordPress sites running the PickPlugins Question Answer plugin version 1.2.73 or earlier are affected. No additional version details are specified, so any installation using a supported version up to 1.2.73 should be considered vulnerable.

The CVSS base score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further reducing the immediate threat posture. Based on the nature of the flaw, the likely attack vector is remote, with an attacker sending a crafted HTTP request to one of the plugin’s administrative endpoints from any network location where the WordPress site is accessible. The absence of a hard boundary on who can access the functionality means the exploit can be performed without additional system compromise.