The vulnerability is a missing authorization check that allows users to exploit incorrectly configured access control security levels within the AA-Team WZone WooZone plugin. An attacker who can reach the plugin’s administrative interfaces may gain access to privileged functions, potentially performing actions that should be restricted to higher‑privileged users. This can compromise the confidentiality, integrity, or availability of the WordPress site by enabling unauthorized administrative changes, data exfiltration, or injection of malicious content.

Affecting the AA-Team WZone WooZone plugin for WordPress through all releases up to including version 14.0.31. Any WordPress site that has installed an affected version of this plugin is at risk. Site administrators should verify the plugin version and check for any custom configurations that might lower access control levels.

The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation under current conditions. The vulnerability is not listed in the CISA KEV catalog. Because the attack vector relies on reaching the plugin’s privileged administrative pages, the most likely exploitation path involves a user with sufficient access to navigate to those URLs, or exploitation through a broader site compromise in which an attacker can locate the plugin administrative endpoints. The risk is mitigated by applying a patch to a non‑affected version of the plugin or by implementing remedial controls that restrict or monitor access to those endpoints.