The vulnerability is an incorrect privilege assignment in the Institutions Directory plugin that allows a lower‑privileged user to gain higher privileges within a WordPress site. This flaw is a CWE‑266 weakness and can lead to unauthorized access to site configuration, content, or sensitive data. Because the plugin runs with normal WordPress permissions, an attacker could use the bug to elevate privileges and potentially take full control of the site.

The flaw is present in the e‑plugins Institutions Directory plugin versions 1.3.4 and earlier. The plugin is distributed for WordPress sites and does not provide any version distinction beyond the 1.3.4 release. Therefore any WordPress installation using a version of the plugin at or below 1.3.4 is affected.

The CVSS score of 8.8 indicates a high severity and the EPSS score of less than 1 % suggests low current exploitation probability, although the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely authenticated, requiring the attacker to have the ability to enroll as a normal user or have some form of authenticated session. An attacker who exploits the bug may be able to grant themselves or another account higher capabilities, giving them broader access to the WordPress back‑end. Because the flaw is local to the plugin, a direct exploit would typically require that the attacker can execute code within the plugin environment, for example by uploading or modifying plugin files, or by leveraging a separate authentication exploit.