The vulnerability is a missing authorization flaw that allows users to access or manipulate serial code functionalities without proper privileges. It enables attackers to view, generate, or alter serial codes normally restricted to privileged users, potentially compromising product licensing or customer data. This weakness is identified as CWE-862, representing improper authorization controls.

Vollstart’s Serial Codes Generator and Validator with WooCommerce Support plugin versions up to and including 2.8.2 are affected. The vulnerability applies broadly across all installations of this plugin where access controls are insufficiently enforced.

The CVSS score of 5.4 indicates a moderate severity, and the EPSS score of less than 1% suggests a very low likelihood of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, implying no known active exploitation reports. Based on the description, the attack vector is inferred to involve sending crafted HTTP requests to the plugin’s administrative or public endpoints that are supposed to be protected by authentication. An attacker with basic access to the site could exploit this flaw without additional prerequisites, but successful exploitation would likely require the plugin to be installed and the server to expose vulnerable endpoints.