The vulnerability is a missing authorization flaw in the Property Hive WordPress plugin that allows attackers to bypass incorrect or missing access control checks. This broken access control enables the exploitation of privileged operations or the exposure of sensitive content that should have been protected by the plugin’s security model. The flaw does not provide immediate remote code execution, but it can grant unauthorized users permissions to perform actions they should not be allowed to carry out. The weakness is classified as CWE-862, indicating an absence of proper authorization enforcement in the code.

WordPress sites that have the Property Hive plugin installed with a version of 2.1.12 or earlier are affected. These installations expose their protected features or data through the plugin’s functionality and do not restrict access based on the required user roles or permissions.

The CVSS score of 7.5 classifies the issue as high severity, while the EPSS score of less than 1% indicates a very low probability of exploitation at the time of this assessment. The vulnerability is not currently listed in the CISA KEV catalog, which suggests that there is no confirmed widespread exploitation of this flaw. Attackers would need to target a WordPress site running the vulnerable plugin, craft requests that hit protected plugin endpoints, and leverage the missing authorization checks to gain unauthorized access. The attack vector is therefore remote, executed over the web interface of the affected site.