The vulnerability is a Missing Authorization flaw (CWE‑862) that allows an attacker to bypass the intended permission checks within the Easy WP Optimizer plugin. By exploiting this weakness, an unauthorized user can execute any privileged operation the plugin provides, such as configuring optimization settings or deleting site content. The flaw can compromise confidentiality, integrity, and availability of the WordPress site. The CVSS score of 8.8 reflects a high severity because the plugin is active on the site’s front‑end and can be reached by unauthenticated users in many configurations.

This issue affects the WordPress Easy WP Optimizer plugin from version… (n/a) through version 1.1.0 supplied by coothemes. Any WordPress site that installs or enables this plugin in these versions is at risk. Exact sub‑versions are not listed, but all releases up to and including 1.1.0 are affected.

The vulnerability has a CVSS score of 8.8 and an EPSS score of less than 1 %, indicating that, while the probability of exploitation is low, it is still possible. It does not appear in the CISA KEV catalog, so no current exploitation campaigns are documented. The attack vector is inferred to be remote, accessed through the WordPress admin interface or public‑facing endpoints that the plugin registers. Exploitation requires the attacker to reach the WordPress installation, potentially as an unauthenticated user who can then manipulate URLs or form submissions to trigger privileged actions. Based on the description, it is inferred that the attack vector is remote via the WordPress admin interface or public endpoints.