This vulnerability stems from a missing authorization check in the Spider Elements plugin developed by Spider Themes, allowing an attacker to exploit incorrectly configured access control security settings. The flaw is classified as CWE-862 and can enable an unauthorized user to perform privileged operations that should otherwise be restricted, such as modifying plugin options or accessing sensitive configuration data. While the description does not specify code execution, the potential for unauthorized configuration changes threatens the integrity of the WordPress site and could serve as a foothold for further exploitation.

The affected product is the WordPress plugin Spider Elements from Spider Themes. All releases up to and including version 1.6.6 are vulnerable. Administrators or developers who have installed these versions should verify the plugin version and consider updating.

The CVSS score of 6.4 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation time‑of‑arrival. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely remote via the WordPress web interface, where an attacker could submit privileged requests through the plugin’s admin pages or API endpoints. No additional prerequisites such as remote code execution are described, but the absence of proper access control could be combined with other vulnerabilities to increase impact.