This vulnerability is a missing authorization flaw that allows an attacker to bypass the default access control checks in the WordPress Hide Plugins plugin. Because the plugin does not enforce proper permission checks, an attacker can read or modify plugin configuration and potentially access or reveal sensitive data about which plugins are hidden. The weakness is classified as CWE‑862, indicating that reference control checks are inadequate. The primary impact is that the attacker can gain unauthorized access to plugin management functionality, which may influence the visibility of installed plugins and affect the integrity of the site’s plugin inventory.

The affected product is the ThemeBoy Hide Plugins plugin for WordPress, versions from the initial release up through version 1.0.4. Any WordPress installation that has a copy of this plugin in any of these versions is considered vulnerable. The plugin does not place version constraints on WordPress itself, so the vulnerability is present regardless of the WordPress core version, as long as the plugin is installed.

The CVSS score for this issue is 4.3, indicating a moderate severity. The EPSS score of less than 1% reflects a low probability that the flaw is being actively exploited, and it is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote, through the web interface, where an authenticated user with insufficient privileges can manipulate or view plugin settings without back‑end permission verification. Because the flaw involves a failure of access control, an attacker with at least a low‑tier role could gain excessive permission, but no prerequisite network access or privileged credentials are specified. Overall, the risk is moderate and the exploitation likelihood is low; however, organizations should still remediate promptly to prevent potential elevation of privileges or accidental disclosure of hidden plugin information.