The vulnerability in Jeroen Schmit’s Theater for WordPress plugin allows an attacker to bypass defined access levels and perform actions that should be restricted to higher‑privileged users. Identified as CWE‑862, this broken access control flaw can enable modification or deletion of content, addition or alteration of entries, or other unauthorized manipulation of the site’s data when a user gains the ability to exploit the plugin’s underlying authorization logic.

WordPress sites running Jeroen Schmit’s Theater for WordPress plugin version 0.18.7 or earlier are impacted. Administrators, editors, or other roles that can configure the plugin normally could use the flaw if they can access the plugin’s configuration pages or if a user with sufficient privileges is coerced or compromised.

The CVSS score of 4.3 indicates a moderate severity impact, while the EPSS score of less than 1% means widespread exploitation is currently unlikely. The issue is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack vector is remote via the WordPress admin interface where the plugin’s configuration is accessible, typically requiring an authenticated user with sufficient privileges. Once the access control is bypassed, the attacker gains the privileges of that user, allowing significant modification of site content or settings.