EnvoExtra, a WordPress plugin developed by EnvoThemes, contains a missing authorization flaw that allows an attacker to take advantage of incorrectly configured access control settings. The vulnerability can let a user perform actions that should be restricted, such as creating, editing, or deleting content, or accessing advanced configuration pages. The large missing guard is classified as CWE-862 (Unauthorized Access to a Resource), indicating that the software fails to enforce proper privilege checks on critical operations.

This issue affects all installations of the Envo Extra plugin on WordPress sites whose plugin version is 1.9.9 or earlier. EnvoThemes lists the affected product as "Envo Extra" with a version range from an unspecified base through 1.9.9. WordPress site administrators using any site version with the vulnerable plugin are at risk.

The CVSS score of 4.3 reflects a moderate severity with potential for unauthorized actions but without a widespread impact on confidentiality, integrity, or availability. The EPSS score of less than 1% indicates a low probability of exploitation at present, and the vulnerability is not included in the CISA KEV catalog. The attack vector can be inferred to be via the WordPress administrative interface where plugin pages are accessed; an authenticated or partially authenticated user could exploit the missing authorization to invoke privileged functions. However, explicit prerequisites or remote execution paths are not detailed in the description.