The vulnerability is a missing authorization flaw in the WP‑Recall plugin that allows an attacker to invoke functions not properly protected by the plugin’s access control lists. Because the plugin fails to check user privileges before allowing certain operations, an attacker who successfully bypasses or authenticates to the plugin’s web endpoints could potentially perform actions that should be restricted, such as viewing or modifying sensitive data or configuration settings. This inference is based on the described lack of authorization checks.

The affected product is the WP‑Recall plugin developed by tggfref. All released versions up to and including 16.26.14 are affected. WordPress sites that have installed this plugin and have not upgraded beyond that version remain vulnerable.

The CVSS score of 5.3 indicates a moderate severity. The EPSS score of < 1% suggests a low likelihood of exploitation in the wild at the time of this analysis, and the vulnerability is not listed in the CISA KEV catalog. The attack likely proceeds through the web interface of the plugin, requiring a user with access to the WordPress administrative pages. Since the flaw is a pure authorization bypass, it is inferred that any user who can access the plugin’s endpoints could exploit it unless further mitigated by role restrictions.