The Realbig realbig-media plugin contains a missing authorization flaw that allows attackers to exploit incorrectly configured access control levels. An unauthorized user can gain unintended access to administrative functions provided by the plugin, potentially modifying or deleting media content without proper permissions. The weakness is a classic input authorization error, as identified by CWE-862.

WordPress sites that have installed nikmelnik Realbig realbig-media plugin versions 1.1.3 or earlier are affected. The vulnerability applies to all installations lacking the latest patch, regardless of environment or configuration, as the vulnerability resides entirely within the plugin code.

The public CVSS score is 5.3, indicating a moderate severity. The EPSS score is below 1%, suggesting that exploitation is unlikely but still possible. The vulnerability is not listed in the CISA KEV catalog, but attackers could reach the affected sites via default WordPress login mechanisms or exposed plugin endpoints. Exploit conditions appear to require no special privileges beyond accessing the plugin’s administrative interface, so the attack vector is likely remote and unauthenticated when the site’s access controls are weak.