The Proxy & VPN Blocker plugin contains a missing authorization flaw that allows operations normally protected by user permissions to be performed without appropriate credentials. This weakness is classified as missing authorization (CWE‑862) and can enable an attacker to trigger privileged functions by targeting the plugin’s endpoints. The impact is an unauthorized escalation of privilege within the WordPress site, potentially allowing the attacker to modify or delete content, change settings, or disrupt site operations.

Any WordPress installation that has the Proxy & VPN Blocker plugin version 3.5.3 or earlier is affected. The flaw applies to all releases of the plugin up to and including 3.5.3, regardless of the underlying server environment.

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1 % suggests a very low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is not explicitly detailed in the advisory; the description indicates that the flaw affects plugin endpoints, so exploitation likely requires remote access to those endpoints. No specific conditions such as particular user roles or additional authentication steps are mentioned, so the precise pathway remains unspecified. The overall risk to the site depends on the presence of the vulnerable plugin and whether its protected features are exposed to unauthenticated users.