A missing authorization flaw in the inseri core plugin subverts the intended access control checks, enabling users who should not have permission to gain access to privileged functionality within the WordPress site. This weakness is classified as Authorization Bypass (CWE-862) and allows an attacker to bypass security policies that protect sensitive actions or data handled by the plugin.

The vulnerability impacts WordPress environments that have the inseriswiss inseri core plugin of version 1.0.5 or earlier deployed. It affects all installations that have inserted this plugin, regardless of other configuration settings and regardless of top-level WordPress version, since the plugin itself is the source of the control failure.

The CVSS score of 5.9 indicates a moderate severity level. The EPSS score of less than 1% suggests that the exploitation probability is low, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the attack path most likely requires web-based interaction with the vulnerable plugin’s endpoints, potentially after authenticating as a legitimate user whose role does not ordinarily grant the sensitive capabilities exposed by the plugin. Exploitation would involve accessing URLs or API calls that are protected by the plugin’s broken authorization checks, thereby gaining access to actions or data that should be restricted.