This vulnerability is a missing authorization flaw in the Gora Tech Cooked plugin. Because the plugin does not enforce proper access controls, a user who has authenticated to the WordPress site could potentially perform actions they are not meant to, such as creating, editing, or deleting content or settings. The weakness is categorized as CWE‑862, indicating an access control failure that undermines the integrity and confidentiality of protected data.

The affected product is the Gora Tech Cooked WordPress plugin, versions up through 1.11.3. Any installation running these versions is potentially vulnerable.

The CVSS score of 5.3 places this flaw in the medium severity range, reflecting the moderate impact should an attacker gain unauthorized access to plugin functionality. The EPSS score of less than 1% suggests that the likelihood of this vulnerability being actively exploited in the wild is very low at present, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, the likely attack vector is an authenticated session that the attacker has obtained—either through stolen credentials, password reuse, or a compromised account—allowing the attacker to exploit the broken access control after login. If the attacker manages to operate with elevated privileges, they could perform arbitrary modifications within the plugin’s scope.