This vulnerability is a missing authorization flaw that allows an attacker to bypass the intended access control settings in the SaifuMak Add Custom Codes plugin. because the plugin does not enforce proper role checks, any user with writing permissions can exploit incorrectly configured security levels to perform unauthorized actions. the weakness is identified as CWE‑862, which indicates a defect in access control mechanisms that can lead to privilege escalation and unauthorized data manipulation.

The issue affects the SaifuMak Add Custom Codes plugin for WordPress up through version 4.80. All releases equal to or lower than 4.80 are vulnerable; no specific sub‑version list is provided, so any installation of the plugin in that range is at risk.

The CVSS score of 5.4 places the risk in the moderate range, and the EPSS score of less than 1% indicates a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is via the web interface of the WordPress site; an attacker who can authenticate as a user with write access can manipulate the plugin’s settings and execute actions beyond their intended privileges. No exploitation conditions beyond the presence of the vulnerable plugin and a suitable user role are specified.