The NextMove Lite WordPress plugin suffers from an Insecure Direct Object Reference flaw that allows an attacker to manipulate the user-controlled key used in accessing plugin resources. By altering request parameters, an unauthorized individual may access, view, or modify data intended only for privileged users. The weakness stems from improper validation of authorization checks, classified as CWE-639. The vulnerability can lead to unauthorized information disclosure or modification of the thank‑you page content and related settings, compromising the integrity of the site’s checkout flow.

Vendors impacted include XLPlugins, specifically the NextMove Lite woo‑thank‑you‑page‑nextmove‑lite plugin for all versions up to and including 2.23.0. Any WordPress installation using this plugin within that version range may be susceptible. No specific stripping of affected sub‑versions is provided, so the entire range from the first release to 2.23.0 is considered at risk.

The CVSS base score of 5.3 indicates a moderate severity, while the EPSS probability is below 1 %, showing a low likelihood of exploitation in the near term. The flaw is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited, but that does not mitigate the potential impact. An attacker would need network or application access to launch the exploit, and if successful, could bypass normal authorization controls in the plugin. Because the vulnerability is tied to user‑controlled keys, it can be exercised by anyone with knowledge of the key structure, potentially in a public or low‑privilege user context.