RenatoAtShwon's Shown Connector plugin suffers from a missing authorization flaw that permits attackers to alter plugin configuration settings. The vulnerability, identified as CWE-862, enables an actor who can reach the plugin’s settings interface to modify options that influence the plugin’s behavior on a WordPress site. Based on the description, it is inferred that the attacker must have some level of access to reach the settings page and that the attack likely involves authenticated or privileged users, although an exposed front‑end could broaden the vector. Such unauthorized changes can lead to misconfiguration, potential escalation of privileges, or a foundation for additional attacks, affecting the integrity of the site’s functionality.

Any WordPress installation using Shown Connector version 1.2.10 or earlier is vulnerable. The description does not specify which WordPress core versions are impacted, so it is inferred that all installations with the vulnerable plugin version are at risk, regardless of the underlying WordPress version. The issue does not affect later plugin versions and is specific to the plugin itself rather than the core or server environment.

The CVSS score of 6.5 places the flaw in the medium severity range, while an EPSS score of less than 1% indicates a low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Exploitation likely requires access to the plugin’s settings page, typically available only to authenticated users with appropriate privileges. Based on the description, it is inferred that the attacker must first reach this page, and that if the plugin is unintentionally exposed through the front‑end or if site misconfigurations allow broad access, the attack vector widens, but some level of authentication remains a prerequisite.