The plugin suffers from a Missing Authorization flaw, where improperly configured access controls allow attackers to gain elevated privileges or access restricted functionality. This can enable an attacker to read, modify, or delete content managed through the plugin without proper authentication, potentially impacting the confidentiality and integrity of the site. The weakness is classified as CWE‑862.

JayBee Twitch Player, versions up through 2.1.3 on WordPress sites that have the plugin installed. The plugin is part of WordPress installations.

The CVSS score of 5.3 indicates a medium severity exposure. The EPSS score is less than 1%, suggesting that exploitation is unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog, meaning no confirmed widespread exploitation cases are recorded. The likely attack vector is through HTTP requests to the plugin’s administrative or API endpoints that are not properly protected. Based on the description, it is inferred that no valid user credentials are required beyond the default application context; an unauthenticated or low‑privileged user could trigger the exploit. Attackers would need to identify the presence of the plugin and then exploit the broken access controls by crafting requests that bypass authentication checks; no additional credentials are required beyond those that exist in the application context.