The WP Dummy Content Generator plugin for WordPress contains a missing authorization flaw that permits an attacker to delete any user account on the site. The vulnerability stems from incorrectly configured access control that fails to verify the user’s privileges before executing a deletion operation. Because any user who can trigger the plugin’s functionality could potentially eliminate accounts, the impact is the loss of legitimate user access and the disruption of site operations, which can translate to both availability and integrity risks.

The flaw affects the Deepak anand WP Dummy Content Generator WordPress plugin versions up to and including 3.4.6. Users running any of these versions, regardless of the site’s configuration or other security measures, are susceptible to unauthorized user deletion.

The CVSS score of 6.5 indicates a medium severity vulnerability. The EPSS value of less than 1% suggests a low exploitation probability in the current landscape, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via remote execution of the plugin’s deletion functionality by an authenticated or compromised user who is able to activate the feature. An attacker does not need elevated privileges beyond those that allow plugin operation, making the risk present for sites where the plugin is enabled and users can trigger delete actions.