Missing authorization in the Hyyan WooCommerce Polylang Integration plugin allows users with insufficient privileges to perform actions reserved for higher-level accounts. Affected functions may include modifying product listings or language settings, potentially enabling unauthorized changes to store content. The weakness is identified as CWE‑862 and is rated with a CVSS score of 6.5, indicating moderate to high severity.

The vulnerability affects all installations of the Hyyan WooCommerce Polylang Integration plugin version 1.5.0 or earlier on WordPress sites. The plugin is developed by Hyyan Abo Fakher and integrates WooCommerce with Polylang for multilingual e‑commerce sites. No version information beyond 1.5.0 is provided, so any deployment of the plugin that has not been upgraded should be considered at risk.

The risk level is moderate as reflected by the CVSS score, while the EPSS score of less than 1 % shows a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation. An attacker could likely exploit this issue via web requests to plugin endpoints, given that standard WordPress authentication mechanisms do not enforce sufficient access controls when the plugin processes requests.