The vulnerability is a missing authorization flaw in CoolHappy The Events Calendar Countdown Addon, as described in the CVE. The description states that incorrectly configured access control security levels can be exploited, but it does not specify whether an authenticated or unauthenticated user can invoke privileged functionality. Based on the description, it is inferred that a user who can submit crafted requests to privileged endpoints may be able to access or manipulate data that should be restricted. The weakness is catalogued as CWE‑862 and results in a low CVSS score of 4.3, indicating that, while it does not enable arbitrary code execution, it can impact confidentiality, integrity, or availability of scheduled event information.

CoolHappy The Events Calendar Countdown Addon versions from the earliest available through 1.4.15 are affected. Users running any of these versions should expect the access control flaw to be present.

The CVSS score of 4.3 reflects a low severity. The EPSS score of less than 1% indicates a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a remote web‑application exploit, where an attacker manipulates URLs or form fields to access restricted functions. The CVE description does not specify whether authentication is required; it only notes a missing authorization check. Based on the description, it is inferred that an attacker who can send crafted requests to the affected endpoints may be able to trigger the flaw, but it is unclear if this requires user authentication.