The Variable Inspector plugin for WordPress contains a missing authorization flaw that allows attackers to exploit incorrectly configured access control levels. This broken access control can enable unauthorized users to read, modify, or delete settings or data that should be restricted, leading to possible data exposure or tampering. The vulnerability is specific to the Variable Inspector plugin version 2.6.3 and earlier; any installation of these versions is potentially vulnerable. All WordPress sites employing the affected plugin are at risk unless a newer version is in use. The CVSS score of 4.3 reflects a moderate severity, and the EPSS score of less than 1% indicates a very low likelihood of exploitation as of the current data. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves an external attacker accessing the public WordPress site and sending crafted requests to the plugin’s endpoints that bypass the missing authorization checks. Successful exploitation does not require elevated privileges beyond access to the site, making the risk moderate.

The Bowo Variable Inspector plugin for WordPress, versions 2.6.3 and earlier, are affected. All WordPress sites running any of these versions of the plugin have the vulnerability.

The CVSS score of 4.3 indicates moderate severity because the missing authorization allows attackers to access plugin settings and data that should be restricted. The EPSS score of less than 1% points to a low current exploitation probability, but the vulnerability still exists on unpatched WordPress installations. The plugin is not listed in CISA’s KEV catalog, meaning no widespread exploitation has been reported. Attackers can target the public WordPress site and send crafted requests to the plugin’s endpoints, bypassing access controls without needing administrative credentials, and thereby read or modify configuration values.