The documented weakness is an Insecure Direct Object Reference (IDOR), also known as Authorization Bypass Through User‐Controlled Key, which is classified as CWE‑639. An attacker who can manipulate request parameters may be able to access or alter content that should be restricted to specific users. The impact is the unauthorized disclosure or modification of data, potentially compromising confidentiality and integrity of the WordPress site. No indication that the flaw leads to execution of arbitrary code, denial of service, or system compromise.

The vulnerable component is the Mikado‑Themes PawFriends – Pet Shop and Veterinary WordPress Theme. All releases from the initial launch through version 1.3 are affected, meaning any site using this theme on or before that version could be subject to the IDOR flaw. There is no evidence that newer releases (1.4 and up) contain the fix, but those versions are assumed to be unaffected.

The CVSS score of 7.5 places the vulnerability in the high range, while the EPSS score of less than 1 % indicates a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The most likely attack vector is web‑based, through manipulation of URLs or form inputs that reference privileged content. Exploits would require that the attacker has some level of web access to the site—either as a normal user or via the administrative interface where the indirect references are used. No special pre‑conditions beyond the presence of the vulnerable theme are documented, so any publicly accessible WordPress instance with the affected theme is at risk.