The vulnerability results from a missing authorization check that allows anyone to access functionality within the Info Cards plugin that should be restricted by access control lists. An attacker can exploit this flaw to call protected plugin endpoints and perform actions beyond their intended permissions, leading to unauthorized use of plugin features. The weakness involves improper enforcement of authorization checks, corresponding to CWE-862. The incident was evaluated with a CVSS base score of 7.1, indicating a high severity of potential damage.

The attack affects the Info Cards plugin developed by bPlugins. Versions from the earliest release up to and including 1.0.11 are impacted. No additional WordPress core versions are specifically cited as necessary for exploitation, so any environment running any of those plugin versions is vulnerable.

The risk profile combines a CVSS score of 7.1 with an EPSS probability of less than 1 %. The vulnerability is not yet listed in the CISA KEV catalog, suggesting no publicly known active exploits at this time. Based on the description, a likely attack path involves a remote attacker submitting HTTP requests to the plugin’s endpoints that lack proper ACL checks. The flaw therefore poses a threat to confidentiality and integrity of the configured data, and may allow privilege escalation within the site if the plugin performs privileged actions.