The vulnerability is a missing authorization flaw that allows an attacker to bypass incorrectly configured access control security settings within the Ultimate Watermark plugin. Because the plugin fails to enforce proper permission checks (CWE‑862), an adversary could invoke privileged functions without possessing the required capabilities, potentially exposing or manipulating stored images or plugin data. This flaw does not directly cause code execution or data deletion but enables unauthorized use of protected features.

All installations of the MantraBrain Ultimate Watermark WordPress plugin with versions from the earliest available through 1.1 are affected. The vulnerability applies to any WordPress site deploying this plugin, regardless of how the plugin is configured, until the issue is resolved by updating or reconfiguring the plugin.

The CVSS score of 4.3 places the vulnerability in the moderate range, indicating that while exploitation is possible, impact may be limited. The EPSS score of less than 1% signals a very low probability of real‑world exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Likely attacks would target the plugin’s administrative endpoints via unauthenticated or low‑privilege user sessions, taking advantage of the broken access control to perform privileged operations. Given the moderate severity and low exploitation likelihood, the risk remains manageable but should still be addressed promptly.