This vulnerability involves a broken access control flaw in the Sitewide Notice WP WordPress plugin, caused by missing authorization checks on administrative functions. The result is that users who should not have sufficient privileges can modify or delete site‑wide notifications, altering the presentation of information to visitors. While the description does not indicate any direct remote code execution or data exfiltration, the availability of elevated control over site content can undermine the integrity and trustworthiness of the site’s messaging.

The problem affects the Andrew Lima Sitewide Notice WP plugin for all releases up through version 2.4.1. Any WordPress site that has not upgraded beyond this major release and is running the plugin is potentially vulnerable, regardless of the underlying operating system or WordPress core version.

With a CVSS score of 5.3 the severity is moderate, and an EPSS score of less than 1% suggests a very low exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is most likely authenticated, requiring an attacker to be logged in with a role that can access the plugin’s administrative interface. The exploit allows an attacker to alter or remove notices that are displayed site‑wide, which can be used for social engineering or to malign the site’s reputation.