Missing Authorization in the Ultimate Post Kit plugin allows attackers to perform actions beyond their intended privileges. This is a classic access control weakness (CWE‑862) that can result in unauthorized data exposure or manipulation. It does not directly grant code execution but enables privileged operations that may compromise the integrity and availability of the WordPress site.

bdthemes Ultimate Post Kit plugin is affected, specifically all releases up to and including version 4.0.21. The issue arises from incorrect configuration of the plugin’s security levels, which have been left at default or overly permissive settings. WordPress administrators should verify that only trusted accounts have the necessary rights to use the plugin’s features.

The CVSS score of 6.4 indicates moderate severity, while the EPSS score of less than 1 percent suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, meaning there is no known active exploitation in the wild. Attackers appear to be able to exploit incorrectly configured access control levels, likely through the WordPress administrative interface or plugin‑exposed endpoints, though the exact mechanics are not detailed in the description. Based on the description it is inferred that an attacker with limited rights could use the plugin’s capabilities to perform higher‑privilege operations, potentially escalating privileges or bypassing restrictions.