Kiotviet’s KiotViet Sync plugin contains a missing authorization flaw that permits users to obtain or manipulate data without proper privileges. The vulnerability arises from incorrectly configured access control security levels, allowing unauthorized users to perform actions that should be restricted. Consequently, any attacker who can reach the plugin’s endpoints could potentially read, modify, or delete synchronization data, compromising confidentiality and integrity for the sites that rely on the plugin.

WordPress installations running the Kiotviet KiotViet Sync plugin version 1.8.5 or earlier are impacted. No specific WordPress core version requirement is noted, so the issue applies to any WordPress site that has a vulnerable plugin deployed.

The CVSS score of 4.3 indicates a medium severity, while the EPSS score of less than 1% reflects a very low estimated exploitation probability at the time of analysis. This vulnerability is not currently listed in CISA’s KEV catalog. Based on the description, the likely attack vector is through the plugin’s web endpoints, requiring network access to the WordPress site and the ability to craft HTTP requests that bypass standard authorization checks. No additional conditions such as privilege escalation inside the server are stated, so an attacker does not need elevated privileges beyond network access.