The vulnerability involves missing authorization checks in the Slazzer Background Changer WordPress plugin, allowing users to invoke functionality that should be limited by access control lists. An attacker who can access the plugin’s administrative endpoints can exploit this flaw to perform actions beyond the intended user privileges, potentially modifying image backgrounds or triggering other plugin operations without proper permission. The weakness aligns with CWE‑862, indicating a breach of authority boundaries. The impact is therefore a potential compromise of data integrity or service availability within the affected WordPress site.

WordPress sites using the Slazzer Background Changer plugin by Slazzer, any release from the initial version through 3.14 inclusive. The vendor name is Slazzercom: Slazzer Background Changer, and the vulnerability affects all editions and configurations of the plugin up to version 3.14.

The CVSS score of 5.3 indicates a medium severity assessment with moderate potential impact in the absence of mitigation. The EPSS score of less than 1% suggests a low probability of exploitation at this time, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is a web-based request to the plugin’s endpoints; a remote attacker could exploit this if the WordPress environment does not enforce proper role checks. Since the vendor has not released a dedicated patch or workaround, remediation relies on updating the plugin or tightening access controls to mitigate the risk.