The MyBookProgress plugin for WordPress contains a missing authorization flaw that allows an attacker to bypass the plugin’s access control settings. This vulnerability is categorized as a Broken Access Control (CWE-862) and can enable unauthorised users to perform actions intended for privileged users, such as viewing or modifying progress tracking data and potentially tampering with child or parent accounts. The impact is limited to the scope of the MyBookProgress plugin functionality, but can expose sensitive educational data that the plugin handles.

Stormhill Media’s MyBookProgress plugin version 1.0.8 and all earlier releases are affected. The plugin is distributed as a WordPress plugin; any WordPress installation that has MyBookProgress installed is therefore at risk. No specific WordPress core version is required for exploitation, but the plugin must be present and configured to use its default access control restrictions.

The CVSS base score of 4.3 indicates a moderate severity for this access control failure. The EPSS score of less than 1% shows a very low probability of real‑world exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, and no public exploit has been reported. The attack vector likely requires that the attacker be able to access the WordPress site (clearly authenticated or unauthenticated) and interact with the plugin’s interfaces, such as the admin panel or frontend pages, to abuse the missing authorization checks.