WordPress sites that host the UiChemy plugin up to version 4.0.0 are affected by a missing authorization flaw that allows an attacker to exploit the plugin’s administrative features without proper permission checks. Because the plugin fails to verify that the current user has sufficient privileges, a malicious actor could invoke privileged operations, potentially modifying or deleting text‑generation templates that the plugin manages. This breach of authorization could let an attacker gain unauthorized access to configuration settings, impacting confidentiality and integrity of the site’s content.

The vulnerability targets the POSIMYTH UiChemy WordPress plugin. Any installation of UiChemy version 4.0.0 or older is potentially vulnerable; newer releases are not affected. Administrators and editors who rely on the plugin’s functionality should verify the installed version against this advisory.

The CVSS score of 4.3 indicates a moderate risk profile. The EPSS score of less than 1% suggests that, at the time of analysis, exploitation attempts were extremely rare, and the vulnerability is not listed in CISA’s KEV catalog. Likely exploitation would involve an authenticated user or one who gains access to a privileged session, as the flaw permits bypassing role‑based checks. If an attacker gains sufficient access, they could modify or delete operational data managed by UiChemy.