The vulnerability resides in the Custom Login URL plugin developed by Greg Winiarski. It allows an attacker to bypass normal authorization checks when accessing login‑related endpoints, effectively permitting unauthorized users to access areas that are intended to be restricted. The flaw enables the execution of protected actions or the retrieval of sensitive information that would normally require valid authentication. The weakness aligns with CWE‑862, which denotes improper authorization or authorization bypass.

WordPress sites that have installed Greg Winiarski’s Custom Login URL plugin with a version of 1.0.2 or earlier are affected. The vulnerability applies to all releases in that range, including any default or custom configurations deployed by site administrators.

The software’s CVSS score of 5.3 indicates a medium severity risk, primarily due to the ability to gain unauthorized access to protected resources. The EPSS score, below 1%, suggests that the realistic probability of exploitation is low at the current time, and the vulnerability is not listed in the CISA KEV catalog. However, the attack vector is likely remote, leveraging standard HTTP requests to the plugin’s login URL, and requires no special possession of user credentials. An attacker can construct requests targeting the custom login endpoint to traverse access control checks, thereby compromising confidentiality or integrity of protected content. Due to these factors, administrators should promptly evaluate their deployment of the plugin and apply mitigations as soon as possible.