The miniOrange WordPress REST API Authentication plugin suffers from a Missing Authorization flaw that permits users to alter configuration settings beyond their legitimate privileges. This weakness, identified as CWE-862, enables users attempting to exploit Incorrectly Configured Access Control Security Levels to override the plugin’s settings through unauthorized actions. The resulting impact is a compromise of the plugin’s operational integrity, potentially exposing the WordPress site to further vulnerabilities or misuse.

The vulnerability affects the miniOrange WordPress REST API Authentication plugin for all versions from the earliest released version up to and including version 3.6.3. Administrators managing sites that use this plugin should verify the installed version.

The CVSS score of 5.4 classifies the issue as moderate severity, but the EPSS score of less than 1% indicates a very low likelihood of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is inferred to be authenticated; any user with access to the plugin’s REST API endpoints could potentially modify settings if they possess any credentials. The low exploitation probability, coupled with the moderate CVSS score, suggests that while the flaw should be addressed, the immediate threat is limited. Nonetheless, because it enables unauthorized configuration changes, remediation is advisable.