The vulnerability is a missing authorization flaw in the WordPress Ultimate Auction plugin (versions up to 4.3.3) that allows an attacker to exploit incorrectly configured access control security levels. This weakness can enable unauthorized modification or deletion of auction items and potentially other administrative functions. The flaw is classified as CWE‑862, indicating missing or incorrect authorization logic.

The affected product is the Ultimate Auction plugin for WordPress developed by Nitesh, with all releases from the earliest available version through version 4.3.3. No other versions or related components are listed in the CNA data.

The CVSS score of 5.4 places the vulnerability in the moderate severity range, while the EPSS score of less than 1% suggests very low current exploitation probability. The vulnerability is not included in the CISA KEV catalog. Likely exploitation would occur via the web interface of a WordPress site that hosts the plugin, and an attacker would need to send specially crafted requests to achieve the missing authorization actions. No publicly disclosed exploits are reported, but the weakness could be abused by anyone who gains access to the WordPress admin area or can influence roles.