The vulnerability in the Simple Business Directory Pro plugin is an incorrect privilege assignment flaw that permits an attacker to elevate privileges beyond the level intended for their user role. This flaw can allow a user with ordinary access to gain higher-level capabilities, such as editing or deleting critical content or potentially accessing administrative functions. The weakness is classified as CWE‑266, addressing improper authorization.

All installations of the QuantumCloud Simple Business Directory Pro WordPress plugin running version 15.6.9 or earlier are affected. Users who have deployed the plugin before the 15.6.9 release remain vulnerable unless the plugin has been upgraded to a fixed version.

The CVSS score of 9.8 indicates a critical risk, yet the EPSS score of less than 1% suggests that actual exploitation attempts are currently very rare. The vulnerability is not listed in the CISA KEV catalog. While the CVE description does not explicitly state the authentication requirements, it is inferred that an attacker would likely need some level of authenticated access to the WordPress site to exploit the privilege escalation, and the attack would be carried out through normal plugin functionality such as attempting to edit or manage directory entries. The likely attack vector is the plugin’s privileged functions, which, if accessed by a lower‑privileged user, could grant them higher capabilities.