The vulnerability is a missing authorization flaw that allows an attacker to exploit incorrectly configured access control levels within the Bertha AI WordPress plugin. This weakness can let a user with an unprivileged account or an unauthenticated user interact with sensitive plugin functionality that should be restricted, potentially disclosing or manipulating data. The flaw is classified as CWE‑862, indicating improper enforcement of access controls. The impact is limited to the operations exposed by the plugin and depends on the configuration and permissions granted to compromised accounts.

WordPress sites running the Bertha AI – Andrew Palmer plugin version 1.13 or earlier are affected. All releases from the initial release up through 1.13 carry this issue. Site administrators managing the plugin should check the installed version and upgrade if necessary.

The CVSS base score of 5.3 places the issue in the medium severity range. The EPSS score of less than 1% suggests that exploitation is unlikely but not impossible. The vulnerability is not yet listed in the CISA KEV catalog, meaning no public exploits have been reported publicly. Likely attack vectors involve unauthorized users gaining access through the plugin’s front‑end interface or hijacked sessions, but the lack of a high exploitation probability reduces immediate urgency compared to higher‑severity flaws.