This vulnerability is a missing authorization flaw that allows attackers to perform actions on the Post Grid and Gutenberg Blocks plugin that are normally restricted to privileged users. The weakness is identified as CWE-862 "Missing Authorization", meaning that the plugin fails to enforce appropriate permission checks before executing certain functions. The result is that anyone who can reach the plugin's interfaces can potentially read, modify, or delete content managed by the plugin, undermining the integrity of the WordPress site.

The affected product is PickPlugins’ Post Grid and Gutenberg Blocks plugin for WordPress. All installed releases from the earliest available version up to and including 2.3.17 are vulnerable. The plugin must be upgraded beyond version 2.3.17 to remove the flaw.

The CVSS score of 6.5 indicates a medium severity vulnerability, and the EPSS score of less than 1% suggests that exploitation is currently unlikely but not impossible. Because the vulnerability resides in a WordPress plugin that is accessible through the public web interface, the likely attack vector is remote. The issue is not listed in the CISA KEV catalog, so it has not yet been classified as a known exploited vulnerability. Nonetheless, defenders should consider it a credible risk because any attacker who can access the plugin endpoints can exploit the missing authorization to gain unauthorized capabilities.