The vulnerability resides in the processBackgroundAction() function, where a capability check is omitted, allowing authenticated members with Subscriber-level access or higher to alter the global map engine settings of the WP Go Maps plugin. This change undermines the integrity of map configurations and could enable attackers to modify map behavior, data sources, or visual presentation. The weakness involves improper authorization (CWE‑862).

WordPress sites utilizing the WP Go Maps plugin up to and including version 10.0.04 are affected. Users with Subscriber or higher roles on such installations can trigger the background action and change map engine settings. No specific hardware or additional software requirements are noted beyond a typical WordPress environment running the vulnerable plugin.

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, further reducing the current threat level. However, the attack vector requires only authenticated access with a moderate user role, which is typically common on public sites. An attacker could exploit the missing capability check by submitting a background action request, thereby changing configuration data that affects all users of the map feature. Because the flaw is not tied to user input or remote code execution, it does not entail immediate catastrophic impact but can subvert the intended behavior of the mapping component.