Missing Authorization vulnerability in the Gutentor WordPress plugin allows an attacker to exploit incorrectly configured access control security levels. The weakness permits unauthorized users to gain access to restricted functionality or data that should be protected, compromising confidentiality and potentially integrity of the site. The flaw is a classic Broken Access Control issue, identified as CWE‑862, which can be leveraged to elevate privileges or bypass authentication checks within the plugin.

This vulnerability affects any WordPress website that has the Gutentor plugin installed with versions from any release date up to and including 3.5.2. All users, regardless of role, may be impacted if the plugin’s access control is not properly enforced. The plugin is maintained by the Gutentor vendor and any installation of the plugin prior to the identified release is considered at risk.

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of less than 1% suggests that the probability of exploitation is very low at present. The flaw is not listed in CISA’s KEV catalog, so it has not yet been identified as a known exploited vulnerability. Nonetheless, the missing authorization can be leveraged once the plugin is accessed, likely through standard WordPress administrative URLs or API endpoints. While the exploitation requires the attacker to reach the plugin’s interfaces, no privilege escalation beyond the trap is required, making the attack feasible for well‑prepared threat actors. Given the moderate CVSS and very low EPSS, this vulnerability should still be remediated promptly before any exploitation attempt occurs.