The Protect WP Admin plugin contains a missing authorization flaw that allows users to perform actions that should be restricted to administrators because the plugin’s access control levels are incorrectly configured. This broken access control can let an attacker reach protected admin pages, potentially change settings or view restricted data. The vulnerability directly maps to CWE‑862 and represents a moderate risk to the confidentiality and integrity of the site’s administrative functions.

WP‑EXPERTS.IN’s Protect WP Admin plugin, versions up to and including 4.1, is affected. The flaw exists in any installation of these versions; the description does not list specific sub‑versions beyond the maximum 4.1 threshold.

With a CVSS score of 4.3, the severity is moderate, focusing mainly on confidentiality and integrity of privileged resources. The EPSS score is below 1 %, indicating that exploitation opportunities are currently low, and the vulnerability is not in the CISA KEV catalog. The likely attack vector is remote via the web interface, where an attacker can craft requests to the plugin’s admin endpoints to bypass normal permission checks. Exploitation would require the plugin to be installed and the security levels to be misconfigured, conditions common in many default WordPress setups.