A missing authorization flaw in the CoSchedule WordPress plugin allows an attacker to bypass the plugin’s configured security levels, granting access to data and actions that should be restricted. The weakness is a classic broken access control, identified as CWE‑862. This flaw lets an authenticated or unauthenticated user perform operations beyond those intended for their role, potentially exposing sensitive content and undermining the integrity of the site.

The vulnerability affects the CoSchedule "coschedule-by-todaymade" plugin version 3.4.0 and all earlier releases. Site operators running WordPress with this plugin installed are impacted until they upgrade to a patched version.

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% shows a very low probability of exploitation at present. The issue is not included in the CISA KEV catalog, suggesting no known widespread attacks. The likely attack path involves an attacker exploiting the plugin’s incorrectly configured access controls, possibly through a specialized URL or by leveraging existing authenticated sessions. No local or remote privilege escalation prerequisites are noted beyond the misconfiguration.