The WPKoi Templates for Elementor plugin contains an authorization flaw that allows an attacker to bypass intended access restrictions. When the plugin is configured with insufficient security levels, a malicious user can obtain privileges normally reserved for administrators, potentially modifying or publishing content without permission. The weakness is classified as CWE‑862 and carries a CVSS score of 4.3, indicating moderate risk of impact.

The vulnerability affects the WordPress plugin WPKoi Templates for Elementor developed by wpkoithemes. All releases from the earliest known version up to and including 3.4.4 are impacted. Users who are running these or earlier versions are exposed.

Although the EPSS score is below 1 % and the vulnerability is not listed in CISA KEV, the possibility of exploitation remains for sites that have the affected plugin installed and misconfigured. Based on the description, the likely attack vector is through the WordPress administration interface or any user who can become authenticated with elevated privileges. Effective exploitation requires the attacker to be able to access or influence the plugin configuration, which suggests that the risk is mainly to sites that allow low‑privilege users to modify plugin settings or that have exposed administrative interfaces.