The vulnerability is a missing authorization flaw in the ConveyThis Translate plugin for WordPress, stemming from incorrectly configured access control security levels. Because the plugin’s endpoints do not enforce proper access control, a user lacking the required permissions can exploit the functionality. This flaw enables an attacker to perform actions or view data that should be restricted, potentially compromising sensitive information or executing privileged operations not intended for their user role. The weakness is a classic example of unauthorized access (CWE‑862).

WordPress sites using the ConveyThis Translate plugin with version numbers from the initial release up to and including 269.9 are affected. All installations that have not applied a newer release—270.0 or later—expose the broken access control flaw. Users of older plugin versions on any WordPress environment should consider themselves at risk.

The CVSS score of 6.5 classifies the issue as medium severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The flaw is not present in CISA’s KEV catalog, indicating no known public exploit. An attacker would likely need to target an accessible endpoint exposed by the plugin; the attack vector is inferred to be through the WordPress administrative interface, leveraging an authenticated session with insufficient privileges. While exploitation is possible, the low EPSS score and lack of public exploitation reports reduce the current risk urgency, but a patch remains the recommended mitigation.