The vulnerability is a missing authorization flaw that allows an attacker to access or modify data protected by the One Page Express Companion plugin. This flaw is classified as CWE‑862, which indicates that a protected resource can be accessed by users who lack the necessary privileges. An attacker who can exploit this flaw could add, edit, or delete content or configuration settings in the WordPress site that uses the plugin, compromising the confidentiality, integrity, or availability of that site.

The affected product is the WordPress One Page Express Companion plugin developed by Horea Radu. All installations of the plugin from its initial release up to and including version 1.6.43 are vulnerable. Any WordPress site that includes this plugin in that version range is potentially impacted.

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% shows a very low probability of exploitation at the time of this analysis. The flaw is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through unauthenticated or low‑privilege authenticated access to WordPress, allowing an attacker to manipulate plugin data. The vulnerability requires the plugin to be exposed through the web server and does not rely on complex prerequisites.