The vulnerability is a missing authorization flaw that allows attackers to bypass security levels improperly configured in the Ongkoskirim.id plugin. Exploiting this weakness can give unauthenticated users the ability to access resources or perform actions that should be restricted, potentially leading to data exposure or unauthorized functionality. The flaw is mapped to CWE-862, indicating that the application fails to enforce authorization checks.

The affected product is the WordPress plugin Ongkoskirim.id from the vendor oggix. Versions from n/a through 1.0.6 are impacted. Any site running the plugin at or below 1.0.6 should assess whether they are using a vulnerable version.

With a CVSS score of 5.4, the severity is medium. The EPSS score of less than 1% indicates a very low probability that exploitation is occurring in the wild today. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. The attack vector is likely web-based, targeting authenticated or unauthenticated users able to access administrative or plugin-specific pages, though the exact prerequisites are not detailed in the CVE data. The flaw arises from incorrect configuration of access control, so the opportunity to exploit depends on how the plugin is deployed and on the user roles available on the site.