The Trusty Whistleblowing plugin contains a missing authorization flaw that allows attackers to bypass the intended access controls and perform unauthorized reading and editing of whistleblowing data. The vulnerability is described as an incorrect configuration of security levels. While the advisory does not specify whether the flaw can be exploited by unauthenticated or only authenticated users, it indicates that the plugin’s endpoints can be accessed in a way that permits unauthorized data access. In a trusted environment, unauthorized modification or exposure of whistleblower information could undermine the platform’s confidentiality and integrity guarantees.

WordPress sites installing the Trusty Whistleblowing plugin prior to version 2.0.2 are affected. Versions from the earliest release through 2.0.1 are vulnerable. Site administrators should check the plugin version under the WordPress plugins page.

The CVSS score of 8.2 signals a high severity, while the EPSS score below 1% indicates a low current likelihood of exploitation. The vulnerability is not listed in CISA KEV. According to the advisory, an attacker would likely need to trigger the plugin’s endpoints, which may involve sending crafted requests. The precise authentication requirements are not detailed, so it is unclear whether the flaw can be exploited by unauthenticated users. Prompt remediation or disabling the plugin is the recommended defense.