A missing authorization flaw in the Ben Balter WP Document Revisions plugin allows attackers to bypass the configured access control settings and view or modify documents that should be restricted. The vulnerability is classified as CWE‑862, indicating that protected resources can be accessed without proper authentication or authorization. As a result, sensitive documents may be exposed or altered by unauthenticated users, potentially leading to confidentiality breaches.

WordPress sites that have installed the WP Document Revisions plugin with a version 3.7.2 or earlier are affected. Any site relying on the plugin’s document visibility controls could allow non‑privileged users to access private files. The issue does not affect newer releases beyond 3.7.2.

The CVSS score of 2.7 denotes a low severity, reflecting that the vulnerability does not provide remote code execution or privilege escalation. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild, and the flaw is not listed in CISA’s KEV catalog. Nonetheless, because the attack vector is likely over the standard HTTP interfaces that serve the plugin, any authenticated or unauthenticated user could exploit the flaw if the site structure allows direct access to the plugin’s endpoints. The overall risk remains modest but should be mitigated promptly to protect sensitive documents.