The Penci AI SmartContent Creator plugin contains a missing authorization check, which results in a broken access control vulnerability. An attacker who can reach the plugin’s endpoints may create new posts, modify or delete existing content, or execute other privileged actions without proper permission. This flaw aligns with CWE-862, indicating that the application fails to verify a user’s entitlement before allowing access to sensitive operations. The CVSS base score of 4.3 reflects moderate impact, with potential loss of data integrity or availability if the vulnerability is abused. Based on the description, it is inferred that the attacker may need to be a logged‑in WordPress user, although the plugin’s endpoints may be reachable without authentication if not properly protected.

All WordPress installations that use the Penci AI SmartContent Creator plugin version 2.0 or earlier are affected. This includes any site that has installed the plugin from the first public release up to the 2.0 release; versions later than 2.0 are not known to be vulnerable.

The CVSS score of 4.3 indicates a moderate severity, and the EPSS probability of less than 1% suggests that the overall likelihood of exploitation is low on a national scale. The vulnerability is not listed in the CISA KEV catalog. Attackers are likely to target sites that use a recent version of WordPress with the plugin active, especially if the plugin’s endpoints are exposed to unauthenticated users. If authentication is required, an attacker would need to compromise or guess a legitimate WordPress user account with sufficient role privileges.