The vulnerability is a Missing Authorization flaw in the TNC Toolbox: Web Performance WordPress plugin that allows an attacker to access administrative functions or data that should be restricted. The plugin’s incorrect access control enforcement means that unauthorized users could manipulate performance settings or view sensitive configuration information. The weakness is identified as CWE-862, indicating a failure to enforce proper access control.

The flaw affects Merlot Digital (by TNC) TNC Toolbox: Web Performance plugin versions from an unspecified initial release through and including 2.0.4. Users who have installed any of these releases on a WordPress site are at risk. The plugin is part of the WordPress ecosystem, so the vulnerability exists in WordPress sites that have it.

Based on the description, the likely attack vector is sending crafted requests to the plugin’s administrative interface, potentially using an existing WordPress user account with insufficient privileges that the plugin fails to properly restrict. With a CVSS base score of 4.3 the flaw is considered medium severity. The EPSS score is less than 1 % indicating that exploitation is currently rare or hard to carry out. The vulnerability is not listed in CISA’s KEV catalog and there is no known public exploit. An attacker would likely need to have a WordPress account with sufficient privileges or construct a crafted request that bypasses WordPress’s internal permission checks for the plugin’s administrative interface.