The StaffList plugin contains a missing authorization flaw that lets an attacker bypass correctly configured access control security levels, enabling unauthorized viewing or modification of staff information and related settings. The vulnerability is classified as CWE‑862 (Missing Authorization). No evidence exists that the flaw permits arbitrary code execution or denial of service, but it grants privileged operations without the necessary checks.

All installations of the ERA404 StaffList WordPress plugin from the earliest available release through version 3.2.7 are vulnerable. The issue was reported for all releases up to and including 3.2.7; newer releases have been claimed to address the flaw.

The CVSS score is 4.3, which indicates a moderate severity vulnerability. The EPSS score is reported as less than 1%, implying a very low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the flaw arises from incorrectly configured access control in the plugin's administrative interface. An attacker who can reach the WordPress admin area or send crafted requests to the plugin endpoints could potentially exploit the weakness to gain unauthorized access. Because no public exploitation evidence is provided, the attack scenario appears to require a form of authenticated or unauthenticated access to the affected site, but the exact vector is not detailed in the record.