The flaw in Directory Pro is a missing authorization check that allows users to bypass the plugin’s intended access controls. When an attacker reaches the plugin’s administrative endpoints, the absence of proper role validation permits execution of actions beyond the user’s legitimate rights, potentially exposing, modifying, or deleting data managed by the plugin. This type of vulnerability is classified under CWE‑862, which indicates that access control decisions are incorrectly implemented.

All installations of the e-plugins Directory Pro plugin up through version 2.5.6 are affected. The issue is present in every version from the earliest release (n/a) up to and including 2.5.6. WordPress sites that have the plugin enabled are at risk if any authenticated or unauthenticated user can interact with the plugin’s protected interfaces.

The CVSS 4.3 score places the vulnerability in the moderate severity range, but the EPSS score of < 1% suggests a very low probability of exploitation in the wild. The plugin’s own capability to perform privileged actions indicates that an attacker would likely need some level of access to the WordPress back‑end or to the Directory Pro endpoints, though the exact attack vector is not explicitly documented. The vulnerability is not listed in CISA’s KEV catalog, further reducing the perceived risk compared to known exploited vulnerabilities. Nonetheless, because the flaw directly impacts privilege controls, it remains a concern that must be mitigated promptly.