This vulnerability stems from an authorization oversight, which is an example of CWE-862 (Missing Authorization), allowing an attacker to execute privileged actions within the wpWax Legal Pages plugin. Because the plugin fails to enforce proper security levels, a user lacking the necessary permissions can potentially view or alter legal page content and other sensitive data stored by the plugin. This Broken Access Control flaw introduces a risk of data tampering and confidentiality loss within the WordPress site.

The affected systems are WordPress sites deploying the wpWax Legal Pages plugin version 1.4.5 or earlier. The plugin is distributed under the wpWax vendor, and the flaw exists in all releases up through version 1.4.5. No specific operating system or WordPress core version constraints are listed, so any site that installs the vulnerable plugin is at risk.

The CVSS score of 6.5 indicates a medium severity vulnerability with an estimated exploitation probability reflected in an EPSS score of less than 1%. The issue is not listed in the CISA KEV catalog, suggesting no widespread, actively used exploits have been reported. Attackers can likely exploit the flaw remotely by accessing the plugin’s administrative endpoints over the web, provided they can authenticate or bypass basic access checks. The flaw’s impact is confined to the plugin’s data and functionality, but an attacker could use it for broader site compromise if the plugin handles sensitive information. The risk remains moderate, but due to the nature of the missing authorization it is advisable to patch as soon as possible.