The Leaky Paywall plugin contains a missing authorization check that allows any user to access content intended to be restricted. This broken access control vulnerability exposes confidential material to unauthenticated or improperly authorized parties. The flaw is classified as CWE‑862 and can enable an attacker to retrieve premium posts, pages, or other protected resources without paying or logging in.

The affected product is the Zeen101 Leaky Paywall WordPress plugin. All releases up to and including version 4.22.6 are impacted, from the earliest available version through 4.22.6. Users running any of these versions on WordPress sites should consider the plugin vulnerable.

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can simply request the URLs of protected content or send crafted requests to bypass the plugin’s access checks, enabling the exposure of restricted material without needing privileged credentials.