This vulnerability allows an attacker to bypass authorization controls in the Wired Impact Volunteer Management plugin for WordPress, enabling the exploitation of incorrectly configured access levels. The missing authorization flaw (CWE-862) permits unauthorized users to perform administrative actions or retrieve sensitive volunteer data, effectively elevating their privileges within the plugin’s scope. The impact is the potential exposure of personal information or unauthorized modification of volunteer records.

WordPress sites running the Wired Impact Volunteer Management plugin version 2.8 or earlier are affected. No other vendors or products are listed for this issue. Site administrators should verify whether the plugin is installed and whether its version is at or below 2.8.

The CVSS score of 5.3 marks this flaw as a medium severity vulnerability, while the EPSS score of less than 1% indicates a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through the WordPress admin interface or any user input that triggers the plugin’s privileged functions. Exploitation requires an attacker to reach the plugin’s protected endpoints, which typically means either possessing remote access to the site or having an account with sufficient role privileges to invoke the plugin’s operations.