The Skimlinks Affiliate Marketing Tool plugin for WordPress contains a missing authorization flaw that permits users to access functionality that should be protected by access control lists. This is classified as a Broken Access Control weakness (CWE‑862). The description indicates that the plugin allows access to functionality not properly constrained by ACLs, so an attacker who can reach the plugin’s administrative endpoints may be able to perform actions beyond the intended scope. Based on the description, it is inferred that any authenticated user could potentially exploit the flaw to call restricted functions if such endpoints are publicly reachable.

Affected systems are WordPress installations that have the Skimlinks Affiliate Marketing Tool plugin version 1.3 or earlier. The vendor Skimlinks provides the plugin, and all releases up through 1.3 are vulnerable.

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% indicates a low current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Although the issue allows bypassing intended access controls, the lack of a high exploitation probability and no reported mitigations in KEV suggest the overall risk remains moderate. Administrators should evaluate the plugin’s use and consider removal or disabling if the plugin is not required.