The vulnerability is an unauthenticated insecure direct object reference in the WordPress BookPro plugin. By manipulating the request parameters that refer to internal objects, an attacker can read or modify data that should be protected. The weakness is described by CWE-639, indicating that access control checks are insufficient, allowing unauthorized disclosure or alteration of information. It does not grant code execution but can compromise confidentiality and integrity of content, such as event listings or booking data.

WordPress installations that have installed the Envato:BookPro plugin, version 1.1.0 or earlier. As the plugin is a third‑party add‑on, any site that deployed these releases is affected until it is upgraded to a later, patched version. The CVE lists no additional platform versions, so the risk is confined to sites running the vulnerable plugin.

The CVSS score of 5.3 marks it as medium severity, while the EPSS value is not available, so the current exploitation probability is unknown. The vulnerability is present in unauthenticated contexts, meaning the attacker need not have an account. Attackers would likely use HTTP requests to guess or enumerate object identifiers. Because it is not listed in the CISA KEV catalog, no known widespread exploitation has been reported yet. Nevertheless, the moderate score and unauthenticated access call for prompt remediation.