The Jock On Air Now (JOAN) plugin contains a missing authorization check that allows attackers to access or modify data beyond their intended privileges. The flaw arises when the plugin fails to enforce access controls on certain administrative endpoints, enabling an attacker to perform actions that the plugin exposes to administrators without needing valid credentials. If exploited, an attacker could create, edit or delete content or otherwise manipulate plugin functions. CWE‑862 categorizes this vulnerability as a missing authorization issue. Without the proper checks, an attacker could gain full control over the plugin’s functionality.

WordPress sites that use the Jock On Air Now (JOAN) plugin from any release through version 6.0.4, in any environment where the vendor ‘ganddser’ has deployed the plugin. No specific operating system or WordPress core version information is provided, so any WordPress installation with the affected plugin version is considered vulnerable.

The CVSS v3.1 base score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog, further indicating it is not actively targeted. The likely attack vector is inferred to be remote via crafted web requests to the plugin’s endpoints; based on the description, it is inferred that authentication may not be required or may be incorrectly enforced. An attacker with web access to the affected WordPress site can potentially exploit the flaw without additional privilege escalation.