The vulnerability is a missing authorization defect in the WPS Bidouille plugin that can be exploited when the plugin’s access control security levels are incorrectly configured. An attacker who can interact with the plugin’s administrative interfaces may gain unauthorized permission to modify or view settings that should be restricted. This permits manipulation of configuration data, potentially enabling further compromise of a WordPress site. The weakness corresponds to CWE‑862, where the lack of proper access checks allows privilege escalation within the application.

The flaw affects the WordPress plugin WPS Bidouille developed by NicolasKulka. All releases from the earliest up to and including version 1.33.1 are impacted. No higher versions are listed as vulnerable.

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a very low likelihood of widespread exploitation at present. The vulnerability is not listed in CISA’s KEV catalog, implying no known active exploit activity. Based on the description, the likely attack vector is a remote web-based request that an attacker can send to the WordPress site to access restricted plugin functionality without proper authorization. No special system privileges or external conditions beyond the ability to send HTTP requests are required to exercise the flaw.