The vulnerability is a missing authorization check in the miniOrange Google Authenticator plugin, which allows privileged operations to be performed without verifying user permissions. Because the plugin fails to enforce correct access levels before executing protected functions, a user who can authenticate to the WordPress site may gain access to features intended for higher-privilege users. The flaw is classified as CWE-862.

Affected systems include the miniOrange Google Authenticator plugin for WordPress versions up to and including 6.1.1. This applies to all WordPress installations that have the plugin installed and have not yet applied the latest update. The vulnerability is limited to the plugin itself and does not affect core WordPress pages or other plugins.

The CVSS score of 6.5 indicates moderate severity. The EPSS score is below 1%, suggesting that exploitation in the wild is currently unlikely, and the vulnerability is not listed in CISA KEV. Based on the plugin’s web-based nature, the likely attack vector is remote through the plugin’s administrative interface, and a compromised or legitimately privileged user could alter two-factor authentication settings. It is uncertain whether unauthenticated users can exploit the flaw; the description indicates that authentication may be required.