A broken access control flaw in the Hype plugin up to version 1.0.5 permits attackers to bypass intended authorization checks, exposing privileged functionality to users who should be denied access. The weakness is categorized as CWE‑862, which signifies missing authorization logic that can lead to data exposure or improper operation. While the CVSS score indicates moderate severity, the flaw can undermine the integrity of the site’s content and configuration settings.

Any WordPress site that has the Hype plugin installed with a version of 1.0.5 or earlier is impacted. The vulnerability applies to all installations of the Hype Hype pico module within the specified version range, regardless of other installed plugins or themes.

The CVSS score of 5.3 reflects medium risk, and the EPSS score of less than 1% suggests low exploitation probability at present. This CVE is not listed in the CISA KEV catalog. The likely attack vector involves an adversary who can reach the plugin’s endpoints, such as a logged‑in user with standard privileges or an unauthenticated user triggering an endpoint that incorrectly bypasses role checks. The precise conditions are not explicitly detailed in the description, so attackers should assume that anyone able to access the plugin’s administrative or AJAX interfaces could exploit the vulnerability. As a result, the flaw can lead to unauthorized configuration changes or access to sensitive content.