The vulnerability is a missing authorization flaw in the WordPress AI Text to Speech plugin (Elliot Sowersby / RelyWP) that permits unauthorized users to perform actions reserved for privileged users. Because access control checks are absent, an attacker could exploit this flaw to read, modify, or delete text-to-speech configurations or uploaded content, potentially leading to data tampering or exposure. The weakness corresponds to CWE‑862, which focuses on missing or insufficient authorization checks.

The flaw affects all installations of the AI Text to Speech plugin with versions up to and including 3.0.3, irrespective of the specific WordPress host. The plugin is provided by Elliot Sowersby / RelyWP, and the affected versions range from the earliest release (n/a) through 3.0.3.

The CVSS score of 6.5 indicates moderate severity, while the EPSS value of less than 1% suggests that it is unlikely to be exploited publicly at present. The vulnerability is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote, through the WordPress site’s front‑end or administrative interface, where an attacker could send crafted requests to privileged endpoints without proper authentication. Successful exploitation would grant unauthorized control over the plugin’s functionalities without needing valid user credentials. The low EPSS indicates that active exploitation is rare, but the impact could be significant on compromised sites.