The flaw is a missing authorization check that allows an attacker to invoke functions within the baiduseo WordPress plugin that should be protected by access control. This shortcomings enable unauthorized users to perform actions such as manipulating SEO settings or submitting data to external search engines, potentially exposing sensitive content or compromising site integrity. The weakness is classified as CWE‑862, indicating a failure in enforcing proper authorization controls.

The vulnerability affects the WordPress plugin named 百度站长SEO合集(支持百度/神马/Bing/头条推送) produced by 沃之涛. All plugin releases up to and including 2.1.4 are impacted. Sites running any of these versions lack the necessary access restrictions for the plugin’s administrative functionalities, leaving them open to exploitation.

The CVSS score of 5.3 indicates a medium severity, while the EPSS score of less than 1% suggests a low probability of widespread exploitation. The issue is not listed in the CISA KEV catalog. Although the official statement does not detail the attack surface, the nature of broken access control implies that an attacker could target exposed plugin endpoints—potentially even without authentication—to execute privileged operations. In practice, the attack likely involves sending crafted requests to URLs that invoke the plugin’s functions, thereby bypassing intended permission checks.