The RadiusBlock plugin implements a key‑based lookup that is intended to restrict access to content objects, but the validation logic is flawed. Because the key supplied by the user is not properly correlated with the user’s permissions, an attacker can supply a crafted key to view or modify objects for which they have no authorization. This IDOR flaw can lead to unauthorized disclosure or alteration of site content, affecting confidentiality, integrity, and potentially the overall user experience. The weakness is identified as CWE‑639, a classic access control issue arising from controllability of an authorization key by a user.

WordPress sites running the RadiusBlocks plugin version 2.2.1 or earlier are affected. The vendor, RadiusTheme, lists Radius Blocks as the product name and indicates that all releases up to 2.2.1 contain the flaw. Any installation of the plugin, regardless of the site’s theme or other plugins, inherits the vulnerability if the plugin is not upgraded beyond 2.2.1.

The vendor’s CVSS score of 4.3 classifies the issue as moderate but not critical, and the EPSS score of less than 1% suggests a very low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need a HTTP interface to send the manipulated key, so the likely attack vector is web‑based. Exploitation does not require special privileges beyond those of a normal site visitor, although greater impact can be achieved by an authenticated user with elevated roles. Given the low exploitation probability, the overall risk is moderate but not insignificant for sites that rely on the plugin for essential content distribution.