The vulnerability in Spider Themes BBP Core plugin versions up to 1.4.1 is a missing authorization flaw that allows attackers to bypass access control restrictions. Because the plugin incorrectly accepts requests without proper permission checks, an adversary could potentially read or modify content or perform administrative operations that should be limited. This weakness is classified as CWE-862, indicating a failure of the system to correctly enforce privilege levels.

WordPress sites using the BBP Core plugin from any unreleased version through 1.4.1 are affected. The impacted software is the Spider Themes BBP Core plugin, which should be upgraded past version 1.4.1 to eliminate the flaw. No other products or versions are known to be impacted.

The CVSS score of 5.3 places this issue in a moderate risk category. The EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through the WordPress web interface, where an attacker can send crafted requests to exposed plugin endpoints. Although the flaw does not provide remote code execution, it enables unauthorized privilege escalation and data manipulation if an attacker gains network or web access to the WordPress installation.