The vulnerability is a missing authorization flaw in the Actionwear products sync plugin for WordPress, classified as CWE‑862. It allows an attacker who can reach the plugin’s administrative routes to trigger synchronization actions without the proper role checks, potentially modifying or creating product data. The lack of role verification enables execution of plugin‑level functions in contexts where they should be restricted to privileged users only.

All installations of the Actionwear products sync plugin provided by marcoingraiti running any version up to and including 2.3.3 are affected. The version range begins with the earliest documented release and extends through 2.3.3, as the CVE description lists no lower bound. Site owners should check the current version of the plugin on their WordPress sites and determine if it is within the affected range.

The CVSS score of 4.3 indicates moderate severity, focusing on integrity and availability within the WordPress installation rather than remote code execution or full system compromise. The EPSS score of less than 1 % indicates a low likelihood of active exploitation, and the vulnerability is not listed in the CISA KEV catalog. The exploit appears to target the plugin’s administrative endpoint over the network, and an attacker would need either authenticated access to the WordPress site or the ability to bypass the default permission controls. Because the flaw is limited to the plugin’s scope and the exploitation likelihood is low, environments that enforce strict role assignments may experience moderate risk, but the vulnerability remains valid for all affected installations.