The vulnerability is a missing authorization flaw that permits users to access functionality not properly constrained by access control lists. This missing authorization weakens the confidentiality and integrity of a WordPress site’s e‑commerce configuration by allowing invocation of plugin features normally reserved for privileged users. The flaw potentially enables unauthorized modification of settings, exposure of restricted data, or other privileged actions.

Bux Woocommerce plugin versions 1.2.3 and earlier are vulnerable. Any WordPress installation that has one of these releases is at risk, regardless of the WordPress core version.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score is below 1%, implying a very low probability of exploitation observed in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread active exploitation. Based on common broken access control patterns, an attacker may exploit the flaw by crafting HTTP requests to endpoints exposed by the plugin; authentication requirements are not explicitly described, so the exploitation could be possible for both unauthenticated and authenticated users, though this is inferred.