The vulnerability is a missing authorization flaw in the WP Advanced PDF plugin, allowing an attacker to exploit incorrectly configured access control levels. Because the plugin accepts requests without verifying that the requester has sufficient privileges, unauthorized users could potentially create, edit, or delete PDF settings and documents. This could lead to data tampering or unauthorized disclosure of sensitive information stored within the PDF files, affecting the confidentiality and integrity of the website content.

This issue affects the WP Advanced PDF plugin from any version up to and including 1.1.7, as sold by cedcommerce for WordPress sites. The plug‑in is commonly deployed on public blogs and corporate websites that use WordPress, so any site running an affected version is potentially vulnerable.

The CVSS score of 5.4 indicates a moderate severity, and the EPSS score of less than 1% suggests that, at the time of analysis, the likelihood of exploitation is very low. The vulnerability is not listed in the CISA KEV catalog, so there is no known large‑scale exploitation. The attack vector is inferred to be remote, requiring the attacker to reach the plugin’s exposed endpoints; however, because the flaw is an authorization bypass, an attacker needs only to be able to craft a request to the relevant URLs. The lack of an explicit authentication requirement lowers the technical barrier and could be exploited through social engineering or compromised user accounts.