The AppMySite plugin for WordPress is affected by a missing authorization flaw that permits users to exploit incorrectly configured access control settings. This vulnerability, identified under CWE‑862, enables an attacker to perform actions that should be restricted to privileged accounts, potentially giving access to sensitive data or administrative functions within the site. The risk is a moderate breach of confidentiality or integrity depending on the attacker’s role and the functions exposed by the plugin.

Customers running the AppMySite plugin with a version of 3.15.0 or earlier are impacted. The plugin is distributed through the WordPress ecosystem, and any site that has installed AppMySite prior to version 3.15.1 must review its deployment. Older or unspecified versions of AppMySite up through 3.15.0 are also vulnerable due to the same authorization oversight.

The assessed CVSS score is 5.3, indicating moderate severity, while the EPSS score of less than 1 % suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, further indicating that it has not yet been observed in widespread attacks. Exploitability is likely achieved via web requests to the plugin’s endpoints using valid credentials; the attacker can abuse the plugin’s functionality without needing elevated privileges initially. The most effective attack scenario involves authenticating as a standard user and then interacting with privileged plugin routes to bypass intended restrictions.