This vulnerability is a missing authorization flaw that allows exploitation of incorrectly configured access control levels in the loopus WP Virtual Assistant plugin. The lack of proper checks can enable an attacker to exercise functions beyond their intended permissions, potentially modifying plugin settings, viewing or submitting data that should be restricted, and undermining the confidentiality and integrity of the site’s content. The weakness is identified as CWE-862, a classic lack of access control issue.

Affected are WordPress sites running the loopus WP Virtual Assistant plugin, versions from the earliest available up to and including 3.0. Any site still using a 3.0 or older release is vulnerable unless a newer version is installed.

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of <1% shows a very low probability of exploitation in the wild. The vulnerability is not listed in CISA KEV. The most likely attack path involves a user who can authenticate to the WordPress administration interface but lacks sufficient permissions; such a user may be able to access plugin pages that do not enforce the correct role or capability checks. Exploiting the flaw could enable unauthorized actions within the plugin without requiring elevated privileges.