The vulnerability is a Missing Authorization flaw in the EazyDocs plugin for WordPress, allowing attackers to bypass intended access restrictions and reach content or settings that should be protected. This is a classic Access Control Failure (CWE-862) and can lead to unauthorized data exposure or manipulation of the plugin’s configuration. The impact is therefore a privilege escalation within the site’s content management system, potentially giving an attacker control over documents or sensitive information. The plugin’s own documentation describes the flaw as the result of incorrectly configured security levels, and the effect is that any authenticated or even unauthenticated user can exploit the exposed endpoints to gain access to privileged resources.

WordPress sites running the EazyDocs plugin by Spider Themes, versions up to and including 2.7.1, are affected. The issue applies to all installations of that plugin that have not yet been upgraded past 2.7.1.

The overall CVSS score of 5.4 places the vulnerability in a moderate risk range. The EPSS score of less than 1% indicates that, as of the latest data, exploitation is considered unlikely. This vulnerability is not listed in the CISA KEV catalog, further underscoring its lower current threat level. Even so, the attack vector is expected to be via standard web requests made to the plugin’s endpoints, exploiting the lack of proper authorization checks. An attacker would need to identify a target site, craft a request to an exposed API or administrative URL, and traverse the plugin’s internal routing to access protected content.