A missing authorization check in the Plugin Optimizer plugin allows an attacker to perform actions that should be restricted to privileged users, resulting in a classic broken access control flaw. The weakness is identified as CWE‑862 and can enable unauthorized modification of plugin settings or other protected resources within WordPress. The impact is the potential elevation of privileges or unauthorized configuration changes, compromising the confidentiality and integrity of the site configuration.

The flaw affects the WordPress Plugin Optimizer plugin, specifically any installation running version 1.3.7 or earlier. No other vendors or products are listed, and the CVE notes that the issue is present from the earliest version through 1.3.7.

The CVSS score of 7.1 reflects a high impact for the affected users, while the EPSS score of less than 1% indicates that exploitation is unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog. Attackers would need authenticated access to the WordPress backend and, based on the description, can exploit the broken access control once they have a user session, allowing them to modify plugin behavior that should require higher privileges. Because the flaw does not require network-level or unauthenticated access, the attack vector is likely limited to authenticated users with access to the WordPress admin area.