The vulnerability is a missing authorization flaw that allows attackers to exploit incorrectly configured access control settings within the Merkulove Gmaper for Elementor plugin. Because the plugin does not enforce proper authentication or role checks, an attacker can perform operations that should be restricted to privileged users, potentially viewing or manipulating content without permission.

All installations of the Merkulove Gmaper for Elementor plugin up through version 1.0.9 are affected. Any site that has not yet upgraded beyond this version is at risk.

The CVSS score of 5.4 indicates a moderate severity. The EPSS score of less than 1% suggests that exploitation is currently considered unlikely, and the vulnerability is not listed in the CISA KEV catalog. However, the impact of unauthorized data access and the availability of the flaw mean that as soon as a plugin version is reachable, an attacker could abuse the lack of access controls. The likely attack vector is through the plugin’s frontend interfaces or administrative pages that are assumed to be protected by default security settings. Given the moderate CVSS but low EPSS, the risk is more latent than immediate, but any site that offers the plugin to visitors or operates in a shared hosting environment should treat it as a security hygiene issue.