The vulnerability is a missing authorization flaw in the WordPress plugin Display product variations dropdown on shop page (versions up to and including 1.1.3). It allows a user to bypass intended access controls and modify or view plugin settings that should be restricted to authorized administrators. Based on the description, it is inferred that an attacker could send crafted requests to the plugin’s endpoints to change configuration values, potentially exposing product variations or altering catalog presentation. The identified weakness is classified under CWE‑862, which indicates a flaw in access control rather than a code‑execution or injection issue.

WordPress sites that have installed the Display product variations dropdown on shop page plugin from the vendor Anzar Ahmed and are running any version up through 1.1.3. Site owners who rely on this plugin without applying the latest update may be affected. The impact is confined to the plugin’s scope and does not extend beyond the WordPress environment.

The CVSS score of 4.3 indicates a moderate risk level. With an EPSS score of less than 1%, exploitation is currently considered unlikely, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves the attacker exploiting the exposed plugin endpoints, which may be accessed by authenticated or unauthenticated users depending on site configuration. The risk remains moderate, but prompt patching is advised to eliminate the access‑control weakness.