A missing authorization failure in the WP Events Manager plugin enables an attacker to exploit improperly configured access control levels. The flaw permits users who should not have editing or configuration privileges to manipulate event settings or other internal data, potentially leading to data integrity issues and misuse of the events system. The weakness is classified as a broken access control (CWE-862).

The plugin ThimPress WP Events Manager, versions up to and including 2.2.1, is affected. All builds from the earliest released version through 2.2.1 are vulnerable, as the issue is described as covering "n/a through <= 2.2.1."

The CVSS score of 5.3 suggests a moderate security impact, while the EPSS score of less than 1% indicates that the probability of exploitation is low at this time. The vulnerability is not listed in the CISA KEV catalog. Although the attack vector is not explicitly stated, the nature of the flaw implies exploitation via the web application, requiring at least authenticated access. An attacker would likely attempt to access restricted functions through crafted URLs or API calls within the WordPress environment.