The WP Custom Admin Interface plugin includes a missing authorization check that allows an authenticated or potentially unauthenticated attacker to perform privileged actions within the admin interface. This broken access control means the attacker could add, edit, or delete configuration settings, potentially granting themselves elevated privileges or altering site functionality. The primary impact is privilege escalation, as the vulnerability directly bypasses intended access restrictions.

Affected systems include any WordPress installation that uses the Northern Beaches Websites WP Custom Admin Interface plugin in versions up through and including 7.40. The issue applies to all builds from the earliest available version up to 7.40, regardless of minor releases. Administrators should verify they are running a version newer than 7.40 before addressing the risk.

Risk assessment relies on a CVSS score of 4.3, indicating moderate severity, and an EPSS score of less than 1%, suggesting low current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Likely exploitation would occur via the WordPress administrative interface, requiring the attacker to authenticate or otherwise gain access to an account with sufficient privileges. In practice, the risk remains limited but should be mitigated promptly.