The flaw resides in RomanCode MapSVG’s mapsvg-lite-interactive-vector-maps plugin and is a missing authorization issue, classified as CWE-862. Because the plugin’s access control is improperly configured, users who should not have elevated privileges may gain access to restricted functions within the plugin. Based on the description, it is inferred that an attacker could modify, delete, or otherwise tamper with map data or configuration settings that are normally protected, thereby compromising data integrity and possibly exposing sensitive information embedded in maps.

WordPress sites that have installed RomanCode MapSVG mapsvg-lite-interactive-vector-maps at any version up to and including 8.6.4 are affected. The plugin is commonly used to embed interactive vector maps, so any site served by WordPress that relies on this plugin and runs a vulnerable version is at risk.

The CVSS score of 5.0 places it in the moderate severity range, while the EPSS score of less than 1% indicates a very low probability of exploitation observed in the past. The flaw is not listed in the CISA KEV catalog. An attacker would most likely exploit the vulnerability through the web interface of the WordPress site, leveraging normal HTTP requests to trigger the incorrectly authorized actions. Since the plugin is a WordPress component, the attack vector is remote and requires either an authenticated session or the ability to reach the relevant plugin endpoints; detailed prerequisites are not specified in the description, but broken access control generally implies elevation of privileges within the application.