The vulnerability is a missing authorization flaw in the BdThemes Element Pack Pro WordPress plugin that permits attackers to exploit incorrectly configured access control settings. By abusing this flaw, a malicious actor could gain unauthorized access to protected administrative functions or data without proper authentication, potentially leading to the disclosure of sensitive information or manipulation of site content. The weakness is classified as a missing authorization issue (CWE-862).

The flaw affects sites running the BdThemes Element Pack Pro plugin, previously version 7.18.12 and earlier, before any patch in version 8.0.0 or later. All WordPress installations that have the plugin v7.x or earlier exposed to the internet are vulnerable. No specific operating system or server configuration is required; the plugin runs on any WordPress site.

The CVSS score of 5.4 indicates a medium severity risk, while the EPSS score of less than 1% suggests a low but nonzero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, meaning it has not yet been identified as a known exploited vulnerability. Attackers would need remote web access to the affected WordPress site, and would likely exploit the flaw by sending specially crafted requests to the plugin’s endpoints, taking advantage of the missing authorization checks.