The vulnerability is a missing authorization flaw that allows attackers to bypass correctly configured access control mechanisms in the Subscriptions & Memberships for PayPal plugin. This flaw can give unauthorized users the ability to view, modify, or delete subscription data, potentially exposing sensitive customer information or enabling financial manipulation. The weakness is classified as CWE‑862 (Missing Authorization).

The issue affects the WordPress plugin Subscriptions & Memberships for PayPal by Scott Paterson, with all versions from the earliest available through plugin version 1.1.7 vulnerable. Any WordPress installation using this plugin within that version range is at risk.

The CVSS score of 5.3 indicates moderate severity, but the EPSS score of less than 1 percent signals a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV, suggesting it has not been widely exploited in the wild yet. Attackers would need access to a WordPress account with sufficient privileges to interact with the plugin’s subscription management interfaces, either through an existing user login or by exploiting additional local or remote vulnerabilities that grant such access.