This vulnerability is a missing authorization flaw (CWE-862) that allows attackers to bypass correctly configured security levels within the Sertifier Certificate & Badge Maker WordPress plugin. An exploit could let an attacker view, create, or delete certificates and badges, thereby compromising the confidentiality and integrity of the knowledge credentials stored in the system. The flaw exists in all releases from the earliest available version through 1.21, offering a broad attack surface.

The affected system is the WordPress Sertifier Certificate & Badge Maker plugin, versions up to and including 1.21. The plugin is installed within a WordPress site and relies on the WordPress API for authentication. Users of the WordPress admin interface who are granted any role can exploit the broken access control if the plugin’s security settings are not tightened.

With a CVSS score of 6.5 the vulnerability is considered moderate severity, and the EPSS score of less than 1 % indicates a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. The likely attack path is through HTTP requests to the plugin’s endpoints; an attacker only needs the ability to authenticate to the WordPress site or exploit a misconfigured role that grants unnecessary privileges. Since no specific vulnerability proof‑of‑concept is documented, exploitability is contingent on the site’s role configuration and the presence of exposed API URLs.