This vulnerability arises from a missing authorization check in the Export Categories plugin, allowing an attacker to use export functionality that is not properly constrained by access control lists. The weakness is categorized as CWE‑862, a broken access control flaw that can provide unauthorized users with the ability to retrieve or manipulate category data. As a result, attackers could potentially read sensitive information, circumvent intended permissions, or influence the application's behavior without proper authentication.

The affected product is the WordPress plugin Export Categories by Shambhu Patnaik, versions from the initial release through 1.0. Any site deploying this plugin, regardless of the specific minor revision, is susceptible.

The CVSS score of 5.3 classifies this issue as a moderate severity vulnerability, and the EPSS score of less than 1 % indicates that exploit attempts are currently unlikely to be widespread. The plugin operates through web‑based requests, so an attacker with the ability to send requests to the affected endpoint can trigger the flaw. Although the vulnerability is not listed in CISA’s KEV catalog and has a low exploitation probability, the potential impact on data confidentiality and integrity warrants patching and tightening of access controls.