Missing Authorization in the averta Shortcodes and extra features for Phlox theme plugin permits an attacker to exercise functionality beyond the intended permissions. The flaw is classified as CWE‑862 and enables exploitation of incorrectly configured access control security levels, potentially exposing sensitive data or permitting unauthorized actions within the WordPress site. The vulnerability does not involve remote code execution but grants elevated privileges that could be leveraged for further attacks if combined with other weaknesses.

The vulnerability affects the averta Shortcodes and extra features for Phlox theme auxiliary elements plugin, versions from the initial release through version 2.17.15. All installations running those or earlier versions are potentially exposed and need updating.

The CVSS score of 4.3 indicates a moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation at this time, and the vulnerability is not currently listed in the CISA KEV catalog. Likely, an attacker would trigger the flaw by accessing plugin‑provided shortcode endpoints or administrative interfaces without proper permission checks. The attack vector is inferred to be through HTTP requests to the plugin’s endpoints, and the exploit would not require an existing authenticated session, given the missing authorization checks.