The vulnerability is an access control flaw that allows attackers to bypass authorization checks and exploit incorrectly configured access levels within the Directory Pro plugin. The reported weakness can lead to unauthorized access to the directory data and potential manipulation of directory entries. This flaw is classified as CWE‑862, indicating that the plugin fails to enforce proper access controls, which may allow attackers to read or modify data they should not have permission to use, compromising confidentiality, integrity, and availability of the directory service.

The issue affects all installations of the e-plugins Directory Pro plugin with versions up to and including 2.5.6. Users running any earlier release are also potentially vulnerable, while versions newer than 2.5.6 are considered unaffected by this specific flaw.

The flaw carries a CVSS score of 7.3, classifying it as high severity, yet the EPSS score is below one percent, suggesting a low probability of exploitation at this time. It has not been cataloged in the CISA Known Exploited Vulnerabilities list. The likely attack vector is through the WordPress administration interface or exposed plugin endpoints where an attacker could manipulate directory configurations or query restricted data without proper authorization. Exploitation would require the attacker to find a way to force the plugin to expose administrative functionality or use a crafted request that bypasses role checks, but the vulnerability is not currently known to have an active exploit.