The vulnerability is a missing authorization check in the CodeSolz Ultimate Push Notifications WordPress plugin, allowing an attacker to take advantage of incorrectly configured access controls. Because the plugin does not enforce proper privilege checks, a user could perform actions that are intended to be restricted, potentially changing notification settings or accessing internal data that should be protected. This weakness falls under CWE‑862 and can lead to information disclosure or unauthorized configuration changes.

WordPress sites running the Ultimate Push Notifications plugin version 1.2.0 or earlier are susceptible. The plugin, developed by CodeSolz, is a standard premium WordPress notification solution that is distributed via the WordPress.org plugin platform.

The CVSS score of 6.5 indicates moderate severity; the EPSS score of less than 1% suggests a low probability of exploitation at present, and the issue is not listed in CISA’s KEV catalog. The likely attack vector is remote, through the WordPress administrative interface, since the plugin is web‑based and stores its configuration in the database. An attacker who can submit requests to the plugin’s endpoints without proper role validation may manipulate notification settings or gain unintended access to plugin features. If used as a backdoor for further exploitation, the impact could widen beyond the plugin itself, especially on compromised sites with other vulnerable components.