The vulnerability is a missing authorization flaw that allows an attacker to misuse incorrectly configured access control settings within the Church Admin WordPress plugin. This flaw, classified as CWE‑862, can enable an attacker to perform actions beyond their intended privileges, potentially reading or modifying sensitive data stored by the plugin.

The issue affects the Church Admin plugin developed by andy_moyle for WordPress, in all plugin releases up through version 5.0.26. Any site that has not upgraded beyond this version is potentially vulnerable. No lower bound is specified, so all installed instances up to and including 5.0.26 are considered affected.

The CVSS score of 5.3 indicates a moderate severity. The EPSS score of less than 1 % suggests that exploitation attempts are expected to be rare at the time of this analysis. The vulnerability is not listed in CISA KEV, further indicating low current exploitation pressure. While the description does not explicitly state the attack vector, it is inferred that the attack path is web‑based through the plugin’s administrative interface and requires an authenticated session, although the absence of proper role checks could allow reach beyond intended users. Because the flaw stems from missing authorization, an attacker who can authenticate with a low‑privilege user may gain elevated capabilities if the plugin’s access controls are not correctly enforced.