A missing authorization check in the Fluent Support WordPress plugin allows an attacker to bypass intended access restrictions. The flaw arises from incorrectly configured security levels, enabling the exploitation of privilege boundaries. Attackers could potentially gain unauthorized access to support tickets, modify content, or view sensitive information that should be protected by user roles, thereby compromising confidentiality or integrity of support data.

Affected systems include WordPress sites that use the Shahjahan Jewel Fluent Support plugin from any unreleased build through version 1.10.4. The vulnerability applies to all installations of the plugin that have not been updated beyond this release. No specific operating system or WordPress version is mentioned in the advisory, so all WordPress environments that run the vulnerable plugin are impacted.

The CVSS score of 6.5 indicates a moderate level of severity. The EPSS score of less than 1% suggests that, while the vulnerability exists, the likelihood of exploitation in the wild is currently low. The plugin does not appear in the CISA KEV catalog, which aligns with its low EPSS. Based on the description, the attack vector is inferred to involve authenticated users who gain access to the plugin’s administrative functionality but are granted broader privileges than intended. An attacker with such access could exploit the broken access control to read or modify support tickets, thereby violating confidentiality, integrity, or availability of support data.