The vulnerability is a missing authorization check in Made Neat's Acknowledgify WordPress plugin. An attacker who can reach the plugin's administrative endpoints can perform actions that should be limited to users with higher privileges, such as creating, updating, or deleting acknowledgment entries. This flaw is a type of broken access control, identified as CWE-862. The impact is that confidential or sensitive site data could be exposed or modified by unauthorized users.

WordPress sites that have the Acknowledgify plugin from any version through 1.1.3 installed are affected. All installations of this plugin across any WordPress deployment should be examined; the version range is up to 1.1.3. No other products or vendors are listed as affected.

The CVSS score of 4.3 indicates moderate severity. The EPSS score of less than 1% suggests low yet non-zero probability of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog, implying no known exploits at the time of publication. An attacker could potentially invoke the compromised functions remotely via the web interface, assuming the site allows visitors to access the plugin's endpoints. The lack of a required payload or permission requirement makes this a low‑effort attack for an attacker who can send crafted requests to the vulnerable site.