The Starfish Review Generation & Marketing plugin for WordPress contains a missing authorization flaw that enables an attacker to elevate privileges on the site. The vulnerability, identified as CWE-862, means that certain plugin functions are reachable without enforcing proper access controls, allowing an authenticated user with limited rights to obtain higher privileges or perform unauthorized actions via the plugin. The description explicitly states that the flaw permits privilege escalation, but does not detail specific actions or outcomes beyond this capability.

All versions of the Starfish Review Generation & Marketing plugin from the earliest available release through 3.1.19 are affected. Any WordPress installation that has this plugin installed within that version range is vulnerable. No other WordPress components are mentioned as affected.

The CVSS score of 8.8 classifies the flaw as high severity. The EPSS score of less than 1% indicates that, to date, widespread exploitation has not been observed. The vulnerability is not listed in the CISA KEV catalog. While the CVE does not specify how the flaw is triggered, it is reasonable to infer that the attack path involves accessing privileged plugin endpoints that should be gated by authorization checks; an attacker would typically need at least some existing authenticated access to the WordPress administrative area to exploit the missing checks. Thus the risk is that attackers who already have limited site access can promote themselves to higher privileges, which could facilitate further damage such as site takeover or unsafe content manipulation.