The vulnerability is a missing authorization flaw that allows attackers to bypass the plugin’s access control safeguards and modify or view the logo settings and related data. This flaw falls under CWE‑862, where a user executing privileged operations gains elevated privileges without proper checks. The ability to alter the logo or its configuration could be leveraged to inject malicious content or obscure defacement of a WordPress site, thereby compromising the confidentiality, integrity, and potentially the appearance of the site.

InfoGiants Simple Website Logo plugin is affected. All releases up through version 1.1 are vulnerable. The issue is present in every release of the plugin that has not been upgraded beyond 1.1, including any instances where the plugin was installed with default or insufficiently restricted permissions.

The CVSS score of 5.3 categorizes the risk as moderate, and the EPSS score of less than 1% indicates a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is a remote web request directed at the plugin’s management interface or endpoints that are exposed by the WordPress installation. It is inferred that an attacker would need remote web access to the site and the ability to submit requests to the plugin’s endpoints; no exploitation prerequisites such as local privileges or specialized knowledge are described in the available data.