A missing authorization check in PARETO Digital Embedder for Google Reviews allows users to invoke plugin functions that should be restricted by access control lists. The flaw is classified as CWE‑862 and can enable unauthorized viewing or manipulation of Google Reviews data embedded in a WordPress site. The description explicitly states that functionality not properly constrained by ACLs is accessible, thereby compromising confidentiality and integrity of review content.

All installations of the PARETO Digital Embedder for Google Reviews plugin up to and including version 1.7.3 are affected. The vendor’s advisory lists the affected range as from n/a through <= 1.7.3, indicating that any version prior to or equal to 1.7.3 is vulnerable. WordPress sites that have installed the plugin are therefore at risk.

The CVSS score of 5.3 reflects moderate severity; the EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the vulnerability is not currently listed in CISA’s KEV catalog. Likely, an attacker must be authenticated to a WordPress account and simply exploit the missing ACL checks to access restricted plugin functionality. Because the vulnerability does not require elevated privileges beyond those granted to legitimate users, any user with a login could leverage it, yet the overall likelihood of exploitation remains low according to the EPSS metric.