The vulnerability, classified as an authorization deficiency, permits users who lack proper administrative privileges to modify the settings of the WordPress plugin. Because the plugin’s access control is incorrectly implemented, any authenticated user who can reach the settings page may change configuration parameters, potentially exposing the site to further exploitation or altering its operation.

WordPress sites that have installed the "UPC/EAN/GTIN Code Generator" plugin, supplied by the UKR Solution developer Dmitry V., and are running any version up to and including 2.0.2. Sites using any earlier or later version are not affected; the issue exists in all releases from the earliest available through version 2.0.2.

The CVSS score of 5.4 indicates a moderate severity. The EPSS score of less than 1 % suggests a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, an attacker who can authenticate to the site could use the lack of authorization to alter settings, which could lead to privilege escalation, code execution, or service disruption depending on how the plugin is used. A likely attack path involves accessing the plugin’s admin interface, bypassing the missing capability check, and adjusting configuration values. The risk is higher for sites that expose this interface to users who are not true administrators.