The vulnerability is a missing authorization flaw that allows an attacker to change settings in the Custom PC Builder Lite for WooCommerce plugin. By exploiting incorrect access control, an unauthorized or minimally privileged user can modify configuration values, potentially altering site behavior or compromising user experience. This weakness falls under CWE‑862 and does not directly enable code execution but can degrade application integrity and trust.

This flaw affects the ChoPlugins.com Custom PC Builder Lite for WooCommerce plugin versions from the earliest releases through 1.0.1. WordPress sites using any of these affected plugin versions are at risk if users can access the plugin’s settings page without proper capability checks.

Based on the description, the likely attack vector is exploitation through authenticated access to the WordPress dashboard, typically by a user with administrator or editor privileges, into the plugin’s settings interface. The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1% suggests that exploitation is unlikely but not impossible, especially on active sites where many users have elevated roles. The vulnerability is not listed in the CISA KEV catalog, so no known active exploitation campaigns have been reported. Control of those roles mitigates the immediate threat, but the absence of proper checks means any user with any logged‑in capability could potentially change settings if the role’s capabilities are not appropriately restricted.