The vulnerability in CatFolders arises from a missing authorization check, allowing users to leverage incorrectly configured access control security levels within the plugin. This flaw permits unauthorized execution of privileged actions such as creating, editing, or deleting categories, thereby potentially exposing sensitive content or disrupting site organization. The weakness corresponds to CWE‑862: Missing Authorization.

The affected system is the WordPress CatFolders plugin developed by CatFolders, impacting all installations running version 2.5.3 or earlier. The flaw applies from the earliest released version up to and including 2.5.3; no specific minimum version is defined.

The CVSS score of 5.3 indicates moderate severity, while the EPSS score below 1% suggests a low probability of exploitation at this time. The vulnerability is not yet listed in CISA's KEV catalog. The likely attack vector is remote via a web request; an attacker would send a crafted request to the plugin endpoint to execute privileged actions without proper authorization. Inferred from the description, the flaw requires the target to host the CatFolders plugin and allows any authenticated or unauthenticated user (depending on site configuration) to bypass intended access controls.