A missing authorization flaw in the Reuters Direct WordPress plugin allows users to access or manipulate plugin features beyond their intended privileges. The vulnerability is classified as a broken access control weakness (CWE‑862). Without proper role checks, attackers could read sensitive content, modify settings, or hijack content operations, compromising the confidentiality, integrity, and possibly availability of site information.

The flaw impacts any WordPress site that installs the Reuters Direct plugin version 3.0.0 or earlier. The affected product is the Reuters Direct plugin provided by the Reuters News Agency, and no specific operating system or WordPress core version constraints are documented.

The CVSS score of 5.3 indicates medium severity, while the EPSS score of less than 1% suggests that exploitation is unlikely at this time. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves an attacker, either with existing authenticated access or by creating a user with higher privileges, sending crafted web requests to the plugin’s endpoints that bypass the intended role checks. Attackers are unable to achieve arbitrary code execution, but can gain unauthorized control over plugin functions and access privileged data.