The missing authorization flaw in the myCred WordPress plugin, classified as CWE‑862, allows an attacker to perform actions that should be restricted by plugin security settings. The vulnerability could enable the attacker to access or modify sensitive user data, manipulate account balances, or execute administrative operations that are normally protected. Because the flaw lies in the enforcement of access control, exploitation could lead to data exposure or integrity compromise at the site level.

The affected component is the myCred plugin created by Saad Iqbal for WordPress. All releases with version numbers from the earliest available iteration through 2.9.7.3 are vulnerable. No later versions were listed as patched in the provided data, so any installation of the plugin with a version equal to or below 2.9.7.3 must be considered at risk.

The CVSS v3 score of 4.3 indicates a medium severity vulnerability, while the EPSS score of less than 1% implies a very low probability of exploitation in the wild at this time. The vulnerability is not currently documented in the CISA KEV catalog. Based on the information, the attack vector would likely require an authenticated user or someone able to send crafted requests to the plugin's endpoints, exploiting the broken enforcement of security levels. Starting from an authenticated session with sufficient privileges, an attacker could invoke privileged plugin functions without proper authorization checks. Given the low exploitation probability and lack of known public exploits, the risk remains moderate but should be mitigated promptly.