The vulnerability is a missing authorization flaw in the All Bootstrap Blocks WordPress plugin that allows attackers to exploit incorrectly configured access control security levels. An attacker who can trigger the plugin’s functionality may be able to perform actions normally restricted to higher‑privilege users, leading to unauthorized data modification or disclosure. The weakness is identified as a classic privilege escalation due to improper role checks, which could compromise confidentiality, integrity, or availability of WordPress content. The official CVE description confirms that the issue is limited to the plugin itself, without indicating broader system damage.

All users of the All Bootstrap Blocks plugin up to and including version 1.3.28 are affected. The vendor name is All Bootstrap Blocks, and any WordPress installation that has this plugin installed and is running a version ≤ 1.3.28 may be vulnerable. No specific operating system or platform constraints are listed, so the weakness applies broadly to any environment where the plugin is used.

The CVSS score of 6.5 places this vulnerability in the medium severity range, while the EPSS score of < 1% indicates a low current probability of exploitation. The vulnerability is not featured in CISA’s KEV catalog. Because the flaw resides solely in the plugin’s access control logic, an attacker need only have any user account or be able to craft requests that consume the plugin’s exposed endpoints. The likely attack vector is through the normal WordPress front‑end or admin interface, meaning that exploitation can occur without privileged remote access or additional software. Once the attacker bypasses the authorization check, they may gain the ability to create edit, or delete content, thereby violating the principle of least privilege for the site’s administrators.