The vulnerability is a missing authorization flaw in the Funlus Oy WPLifeCycle WordPress plugin’s free‑php-version-info functionality, which allows attackers to exploit incorrectly configured access controls. Key detail from CVE description: "Missing Authorization vulnerability in Funlus Oy WPLifeCycle free-php-version-info allows Exploiting Incorrectly Configured Access Control Security Levels." This broken access control (CWE‑862) means an unauthenticated or poorly authenticated user can access privileged operations or sensitive information that should be protected, potentially leading to data exposure or unauthorized actions within the WordPress site.

Affected products include the Funlus Oy WPLifeCycle WordPress plugin for all versions from the earliest release through version 3.3.1. The vulnerable code resides in the free‑php-version-info endpoint, so any installation of the plugin up to and including 3.3.1 is impacted. No specific revision numbers are listed, but the issue applies to the entire range of affected versions.

The CVSS score of 5.3 indicates moderate risk, while the EPSS score of less than 1% shows low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through remote HTTP requests to the free‑php-version-info endpoint, and the exploit requires the ability to interact with the WordPress site, possibly requiring an authenticated user with limited privileges. Because the problem is a broken access control, an attacker could gain unauthorized access to sensitive information or functionality if the endpoint is exposed.