The vulnerability is an Insecure Direct Object Reference (IDOR) flaw that allows an attacker to bypass normal access controls by manipulating user-controlled keys. Because the plugin does not enforce proper authorization checks, a malicious user can request resources or configuration data that they should not normally be able to access. This leads to unauthorized disclosure of sensitive information, potentially compromising the integrity of site configuration and user data. The weakness is classified as CWE‑639 based on the description of the authorization bypass.

Really Simple Plugins B.V. – Really Simple Security Pro plugin is affected from its earliest release through version 9.5.4.0. Any site using these versions is susceptible; an upgrade beyond 9.5.4.0 removes the flaw.

The CVSS score of 6.5 indicates a moderate severity. The EPSS score is less than 1%, indicating a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote web-based exploitation through the plugin’s administrative interface, where an attacker can supply altered key parameters. The available information does not specify whether the attacker must be authenticated; the flaw exploits incorrect access control and allows unauthorized access to protected resources.