The vulnerability is a missing authorization flaw that allows users to access WordPress plugin functionality that should be restricted by access control lists. Because the plugin fails to enforce proper ACL checks, unauthenticated or poorly authenticated users could invoke actions or retrieve data that are intended for privileged roles. This can lead to compromise of confidentiality, integrity, or availability of the site through the plugin’s exposed capabilities.

The affected product is the Jjlemstra Whydonate WordPress plugin, with all releases up to and including version 4.0.15 vulnerable. Users running these versions should verify the installed plugin version.

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation at the time of this assessment. The vulnerability is not listed in CISA’s KEV catalog. Although the description does not specify the exact attack vector, it is inferred that the flaw could be exploited via crafted requests to the plugin’s endpoints by users with insufficient permissions. An attacker would need to target a site that uses the vulnerable plugin, and the impact is limited to the plugin’s functional scope.