The WordPress WP Voting Contest plugin contains a Missing Authorization flaw (CWE-862) that can enable an attacker to execute privileged contest actions without proper authentication or role checks. This broken access control removes the barrier that normally protects management functions such as editing or deleting contests and could allow unauthorized users to alter contest entries, view sensitive data, or otherwise manipulate voting results. The vulnerability is fully contained within the plugin code and does not require external exploitation beyond standard web input channels.

All installations of the WP Voting Contest plugin from vendor Matt, version numbers from the first release through 5.8, are affected. Any site running the plugin at or below the 5.8 release level is susceptible to this authorization failure.

The CVSS score of 7.5 indicates a high severity, and the EPSS score of less than 1% reflects a low probability of active exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, suggesting no known public exploitation campaigns. The most likely attack vector is remote, via the web interface of the compromised WordPress site, where an attacker can submit crafted requests to bypass the missing role verification. Despite the low exploit probability, the potential impact on the integrity and confidentiality of contest data warrants immediate attention.