The vulnerability is a missing authorization flaw that permits arbitrary deletion of content within the Ultimate Learning Pro plugin. An attacker who can trigger the API endpoints for content manipulation can remove posts, lessons, or other educational resources without proper permission checks, potentially leading to data loss and disruption of course content for users. This flaw is classified as CWE‑862, indicating that access control has been improperly implemented.

Affected systems are installations of the Ultimate Learning Pro WordPress plugin by azzaroco. Any deployment using version 3.9.3 or earlier is vulnerable. The vulnerability impact is limited to the scope of the plugin; the user’s WordPress installation is otherwise unaffected unless additional plugins or custom logic depend on the deleted content.

The CVSS score of 4.9 represents medium severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The flaw is not listed in CISA KEV, and no official workaround is available. The likely attack vector involves a legitimate user session – either of a privileged account or a mis‑configured role – which can exploit the missing checks to delete content. Consequently, the overall risk is moderate but still requires timely remediation.