The LWSCache WordPress plugin contains an improper authorization check in the lwscache_activatePlugin() function. The function allows authenticated users with Subscriber level access and higher to activate any whitelisted LWS plugin, thereby elevating their privileges within the site. This broken access control weakness (CWE‑285) enables an attacker who has legitimate login credentials or has compromised a subscriber account to execute arbitrary plugin code, potentially leaking data, modifying content, or injecting further malicious plugins. The impact is limited to the scope of the WordPress site but can affect confidentiality, integrity, and availability of the site content.

The vulnerability applies to the LWSCache plugin from vendor aurelienlws, all versions up to and including 2.8.5. Users running an older or unchanged version are exposed until an update to a patched release is deployed.

The CVSS score of 4.3 classifies the risk as moderate, while the EPSS score of less than 1% indicates a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers need only authenticated access with a Subscriber role or higher to activate arbitrary plugins, so the required attack vector is an authenticated WordPress session. The lack of additional constraints makes it an in‑application privilege escalation that can be abused once a valid account is obtained.