The vulnerability is a missing authorization flaw in the InstaWP Connect plugin for WordPress, allowing attackers to bypass intended access controls and exploit incorrectly configured security levels. This weakness can lead to unauthorized creation, deletion, or modification of data exposed by the plugin, thereby compromising data integrity and potentially allowing further malicious activity. The flaw is listed as CWE-862, indicating improper access control.

WordPress sites using the InstaWP Connect plugin are affected. All users of the plugin versions from the earliest available release up through 0.1.1.9 are vulnerable. The vendor, InstaWP, does not provide exact revision numbers beyond the maximum affected version. Sites with older or unpatched plugin installations should be evaluated to confirm they fall within this range.

The CVSS score of 6.5 indicates a moderate severity level, while the EPSS score of less than 1% shows a low probability of exploitation at this time and the vulnerability is not listed in CISA KEV. The likely attack vector is the web application; an attacker with basic access to the WordPress environment—whether authenticated at a low‑privilege role or possibly unauthenticated depending on site configuration—can exploit the missing authorization to perform privileged actions within the plugin. The exploit requires no special preconditions beyond access to the plugin’s exposed endpoints.