The Arconix FAQ WordPress plugin suffers from a missing authorization check that permits users without appropriate privileges to perform actions intended for users with higher roles. This broken access control, classified as CWE‑862, can let attackers modify FAQ entries, delete content or manipulate plugin settings, thereby compromising the integrity of the site’s FAQ data and potentially exposing sensitive information.

The vulnerability affects TycheSoftwares’ Arconix FAQ plugin for WordPress versions up through 1.9.6. All installations of this plugin up to and including that release are susceptible. The flaw is present in any release prior to the version that implements proper access controls.

The CVSS score of 4.3 indicates a medium impact, and the EPSS score of less than 1 % signals that exploitation attempts are currently expected to be rare. The plugin exposes no remote code execution or data exfiltration capabilities, so the primary risk is unauthorized manipulation of FAQ content. Because the flaw relies on incorrect configuration of access control levels, the attack vector likely involves an authenticated user with insufficient privileges interacting with the plugin’s administrative interface; without such access, exploitation would be difficult. The vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread active exploitation is documented.