The Miraculous Core Plugin contains an Authorization Bypass Through User‑Controlled Key flaw, classified as CWE‑639. It allows an attacker to manipulate object references that are not validated, leading to unauthorized access to privileged data or actions. The primary impact is the potential to read, modify, or delete sensitive information controlled by the plugin, effectively elevating privileges without proper authentication. Based on the description, the likely attack vector is through the WordPress web interface, where an attacker can alter request parameters or URLs to reference objects they should not access. Risk and exploitability: The CVSS score of 9.8 places this issue in the Critical severity range. The EPSS score of less than 1% indicates a low estimated likelihood of exploitation in the general population, yet the absence of a KEV listing means that environments using the vulnerable plugin remain high‑value targets. The IDOR flaw can be exploited remotely by any authenticated or unauthenticated user with sufficient knowledge of the plugin’s endpoints.

The vulnerability affects any WordPress installation that has the Miraculous Core Plugin by kamleshyadav installed in a version earlier than 2.0.9. All releases from the initial version through < 2.0.9 are susceptible. Administrators who have not upgraded to the patched version are at risk.

The combination of a critical CVSS score, even with a low EPSS, underscores the seriousness of this vulnerability. An attacker exploiting the improper access control can compromise the confidentiality, integrity, or availability of content on a WordPress site. The lack of a KEV listing does not lessen the threat, as the vulnerability remains widely exposed and can be leveraged remotely wherever the vulnerable plugin is present.