The vulnerability is a missing authorization flaw in the Javo Core WordPress plugin. The flaw allows requests to bypass the plugin’s intended access controls, enabling users to view or manipulate data that should be restricted to authorized roles. The CVSS score of 5.3 places the issue in the moderate risk range, indicating that while it does not grant remote code execution, it permits exploitation of privileged actions within the plugin. The impact is limited to data exposure, unauthorized modification, and potential escalation of privileges within the boundaries of the plugin’s functionality.

All installations of Javo Core from the earliest releases through version 3.0.0.266, used on WordPress‑powered websites. The affected component is the Java Themes Javo Core plugin, identified by the vendor/product pair javothemes:Javo Core.

The moderate CVSS score of 5.3 and an EPSS of less than 1% indicate a low likelihood of widespread real‑world exploitation. The flaw is not listed in the CISA KEV catalog, further supporting a low threat posture. The likely attack vector involves missing authentication checks on the plugin’s internal endpoints; the attacker must reach those endpoints, which may require some level of authenticated access or the ability to access the site’s public URLs that call the plugin’s functions. Because the vulnerability is fundamentally a broken access control, it depends on the plugin’s improper enforcement of role checks and is therefore exploitable only against sites that have the plugin installed and exposed to the web without proper protection.