The vulnerability is a missing authorization flaw in the Apiki GoCache plugin that allows attackers to access or modify resources protected by the plugin’s access control settings. This broken access control can lead to unauthorized viewing or alteration of content, potentially exposing sensitive data and compromising the integrity of the site. The weakness is classified as CWE‑862 and is specifically described as an incorrectly configured access control security level that can be exploited.

Vendors and products affected are Apiki’s GoCache plugin for WordPress. The issue applies to all releases from the earliest version through 1.3.6, inclusive. No later version information is available in the current advisory, indicating that versions newer than 1.3.6 should be examined for fixes.

The CVSS score of 5.4 places this vulnerability in a moderate risk category. The EPSS score of less than 1 % indicates a low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is through access to the plugin’s internal URLs or APIs from the web interface; an attacker with unauthenticated or limited access could use these endpoints to bypass intended restrictions. No additional prerequisites are mentioned beyond the presence of the vulnerable plugin on a WordPress site.