A missing authorization flaw in the DELUCKS SEO WordPress plugin allows attackers to access functionality that is not properly constrained by access control lists. The vulnerability can enable unauthorized users to perform actions intended only for privileged users, potentially exposing sensitive site data or allowing further exploitation of the system. The weakness is classified as CWE‑862, indicating improper enforcement of access restrictions.

The plugin affected is DELUCKS SEO, versions from the earliest to 2.5.9 inclusive. Any WordPress site installing this plugin version is susceptible. No specific operating systems or PHP versions are listed, so the vulnerability applies to any environment running the plugin up to the stated release.

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low, but non‑zero, probability that the flaw is actively exploited at this time. The vulnerability is not listed in the CISA KEV catalog. Although the CVE description does not state the attack vector explicitly, it is inferred that the flaw can be triggered through web requests to the plugin’s administrative endpoints and likely requires no special privileges to act upon them. Consequently, the risk is that attackers who can reach a site running the vulnerable plugin could elevate their privileges on that site.