The Toast Plugins Internal Link Optimiser WordPress plugin suffers from a missing authorization check that allows users to alter settings without the required privileges. This flaw, classified as CWE-862, enables an attacker who can reach the plugin’s settings page to modify configuration values, potentially opening avenues for further compromise such as enabling features that facilitate other attacks or exposing sensitive data.

Any WordPress site running the Toast Plugins Internal Link Optimiser plugin version 5.1.2 or earlier is affected. The vulnerability applies to all installations that have not yet upgraded beyond version 5.1.2, regardless of the specific WordPress theme or server environment.

The CVSS score of 6.5 places the flaw in the medium severity range, while the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely remote, targeting WordPress administrators or anyone who gains access to the site’s administrative interface. Based on the description, it is inferred that the attacker must gain access to the plugin’s settings page through the administrative interface. If the plugin’s settings page is accessible without proper authentication, the conditions for exploitation are simplified, but the attacker still requires some level of access to the WordPress installation, which typically limits the risk to sites with exposed admin interfaces or weak credentials.