Missing authorization enforcement was discovered in the WP Adminify plugin for WordPress, allowing attackers to perform actions normally restricted to privileged users. The flaw enables unauthorized users to access, configure, or delete settings within the plugin, potentially compromising the integrity and confidentiality of the site’s administration functions. The weakness corresponds to CWE-862, which focuses on improper role or privilege checking. Vulnerabilities of this nature can lead to unauthorized configuration changes and are a concern for administrators and security teams managing WordPress instances.

The affected vendor is Liton Arefin, the WP Adminify plugin. All releases from the earliest version through version 4.0.6.1 are impacted; no specific patch version is provided in the advisory, so any version numbered 4.0.6.1 or earlier is considered vulnerable. No other WordPress plugins or core WordPress components are listed as affected.

The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at the time of assessment. The vulnerability is not present in the CISA KEV catalog, so no large-scale exploit campaigns are known. Based on the description, it is inferred that the likely attack vector is through the plugin’s administrative interface, where an attacker may authenticate with compromised or weak credentials or may bypass authentication entirely due to missing access checks. Attacker execution is possible remotely via the WordPress admin dashboard and does not require local privileges on the hosting machine.