The plugin suffers from a missing authorization control that allows exploitation of incorrectly configured access control settings. The flaw permits an attacker to perform actions that should be limited to privileged users, potentially altering or creating content within the plugin’s scope. The vulnerability does not directly expose core WordPress files or data, but it grants unauthorized manipulation of plugin-specific data, which could be leveraged to obscure malicious changes or disrupt site functionality.

WordPress "Effect Maker" plugin from vendor anibalwainstein, versions up to and including 1.2.1 are affected by this flaw. Systems running those versions without the available patch are susceptible.

The CVSS score of 6.5 indicates a moderate severity vulnerability. The EPSS score of less than 1% shows a low probability of exploitation at this time, and the issue is not listed in CISA’s KEV catalog. Nevertheless, the exploit path likely involves an attacker interacting with the plugin’s web interface where access control checks are omitted, allowing them to invoke privileged actions through crafted requests or unauthorized role assignments. The risk is mitigated by disabling or removing unauthorized capabilities via role management once the patch is applied.