The vulnerability is a missing authorization flaw that allows an attacker to exploit incorrectly configured access controls. An attacker can trigger the export functionality of the WP Export Categories & Taxonomies plugin and download site categories and taxonomy data without proper authentication. The potential impacts include confidentiality leakage of site taxonomy structure and collection of data that could aid further reconnaissance. The weakness is classified as CWE-862: Authorization Bypass Through User-Controlled Key.

The flaw affects the Damian WP Export Categories & Taxonomies plugin for WordPress, versions from the earliest release through 1.0.3. Any WordPress site that has installed this plugin and has it enabled is potentially affected. No other components or plugins are mentioned as impacted.

The CVSS score of 5.3 positions this weakness in the moderate severity range. The EPSS score of less than 1% indicates that the likelihood of automated exploitation is currently very low. The vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread exploitation has been observed yet. Based on the description, the likely attack vector would be a web request to a plugin-export endpoint that lacks proper authorization checks; the attacker would not need elevated privileges beyond what a typical site visitor or logged‑in user possesses. If the vulnerability were to be leveraged, the attacker would gain unauthorized access to sensitive taxonomy information, which could facilitate more advanced attacks or data theft.