The vulnerability in the DeluxeThemes Userpro plugin stems from incorrectly configured access control security levels, creating a missing authorization flaw that can be exploited by an attacker to bypass authentication and gain unauthorized access to protected content or administrative functions. This flaw, defined by the CWE-862 category of access control issues, allows a threat actor to potentially read, modify, or delete user data and perform privileged operations that should be restricted to authenticated or authorized users. The impact is primarily on confidentiality, integrity, and availability of user information within affected WordPress installations.

All WordPress sites using the Userpro plugin version 5.1.9 or earlier are vulnerable. The vulnerability statement does not specify finer-grained version ranges beyond "n/a through <= 5.1.9", so any installation that has not upgraded past version 5.1.9 is at risk. Sites with older or unpatched copies should review their plugin versions immediately.

The CVSS score of 7.5 classifies this issue as a high severity vulnerability, indicating a significant risk if exploited. However, the EPSS score of less than 1% shows that the likelihood of public exploitation is currently very low. The problem is not listed in the CISA KEV catalog, meaning no known large-scale attacks have been observed yet. Exploitation would typically involve accessing improperly protected administrative or user pages without the need for additional credentials, so the attacker could launch the attack from a compromised or unauthenticated state. Overall, the risk is moderate to high in terms of potential impact, but the probability of exploitation at present is low.