The vulnerability is a missing authorization flaw in the Trustpilot Reviews WordPress plugin that allows attackers to exploit incorrectly configured access control levels. When an unauthorized or insufficiently privileged user can perform actions that should be restricted, the attacker may read, modify, or delete review data, potentially compromising the integrity or confidentiality of the review system. The weakness is classified as CWE-862.

All installations of the Trustpilot Reviews plugin for WordPress with version numbers up to and including 2.5.925 are affected. Sites that have not upgraded beyond this release run the risk of unauthorized privilege escalation within the plugin’s functionality.

The CVSS score of 4.3 indicates a moderate severity, but the EPSS score of less than 1 % shows that the probability of exploitation is very low. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is web‑based, leveraging the plugin’s exposed endpoints; an attacker would need either a user account with reduced privileges or a misconfiguration that allows broader access. Given the moderate impact and low exploitation likelihood, the risk remains moderate but still warrants remediation to prevent a potential escalation, especially if the site trusts the integrity of review data.