The vulnerability is a missing authorization flaw that allows an attacker to access privileged functions within the CreativeMindsSolutions CM Pop-Up banners WordPress plugin. It is identified as a CWE‑862 issue, indicating an improper enforcement of access controls. Successful exploitation could enable the attacker to modify, create, or delete banner configurations, potentially compromising the site’s content and user experience.

The affected asset is the CM Pop-Up banners plugin for WordPress, versions from the initial release up through 1.8.4. Users running these versions should consider them vulnerable until the plugin is upgraded or removed.

The CVSS score of 4.3 places the flaw in the low‐to‐moderate severity range, and the EPSS score of less than 1% suggests a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via the web interface; an attacker would need to exploit improperly configured access control checks, possibly requiring a user account with elevated privileges. No exploit code is known, but the flaw could be bypassed by an attacker who gains authenticated access or who can manipulate the request paths that are protected by weak role checks.