This vulnerability is a missing authorization flaw that permits attackers to gain elevated privileges within the Trash Duplicate and 301 Redirect plugin. Because the plugin’s access controls are incorrectly configured, an attacker who reaches a managed site can modify plugin settings or exploit other misconfigurations, potentially leading to unauthorized changes or further compromise. The weakness is classified as CWE-862, indicating a flaw in access control. The impact is therefore an escalation of privileges that could affect the confidentiality, integrity, or availability of the web application.

The affected product is the WordPress plugin Trash Duplicate and 301 Redirect developed by solwininfotech. All releases from the initial version up through version 1.9.1 are vulnerable. The vulnerability description does not list specific patch versions beyond that threshold.

The CVSS score of 5.3 indicates a moderate severity, while an EPSS score of less than 1% shows a low probability of exploitation discovered in the public dataset. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is web-based through a WordPress site that has the vulnerable plugin active; an attacker would need to interact with the plugin’s interfaces to take advantage of the access-control flaw. Because the flaw allows unauthorized configuration changes, it can serve as a stepping stone for broader attacks on the site if combined with other vulnerabilities.