The Yandex Metrika WordPress plugin contains a Missing Authorization vulnerability that allows an attacker to bypass the plugin's access control mechanism. The flaw originates from the lack of a proper authorization check in the plugin’s API that enables users to perform actions intended for higher‑privileged roles. Based on the CVE description, the vulnerability permits accessing plugin information and potentially modifying configuration settings; however, the specific impact on confidentiality or integrity is not explicitly stated in the CVE data, so it is inferred that such unauthorized access could expose analytics data if available.

All installations of the Yandex Metrika plugin with version 1.2.2 or earlier are affected, irrespective of WordPress site configuration. The vendor/product pair is Yandex Metrika: Yandex Metrica. The vulnerability is applicable from an unspecified lower bound through the 1.2.2 release, covering all older releases that are still online.

The assigned CVSS score of 5.3 indicates a medium severity due to the lack of authentication and the potential to alter plugin data. The EPSS score is below 1%, meaning the chance of exploitation in the wild is low but not impossible. The vulnerability is not listed in the CISA KEV catalog. Because this is a web‑based plugin accessed via the WordPress admin interface, the likely attack vector is a remote attacker issuing crafted HTTP requests to exploit the missing authorization check; this inference is derived from the nature of the plugin and the type of weakness (CWE‑862).