The vulnerability is a missing authorization flaw in the vowelweb VW Portfolio WordPress theme that allows attackers to exploit incorrectly configured access control security levels. This broken access control can let an attacker perform unauthorized actions such as editing, deleting, or viewing protected content, thereby compromising the integrity and confidentiality of the site’s data. The weakness is identified as CWE-862, indicating failure to restrict access to privileged operations.

Vowelweb VW Portfolio theme versions up to and including 1.3.3 are vulnerable. The vulnerability range is described as "from n/a through <= 1.3.3," meaning that any deployment of the theme with a version number 1.3.3 or earlier is affected. No specific sub-versions are listed, so all releases within this range should be treated as susceptible.

The CVSS score of 5.3 suggests moderate severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further supporting its current low exploitation probability. Attackers would likely exploit the flaw remotely by sending crafted HTTP requests to the theme’s endpoints, bypassing normal WordPress permission checks. This inference is based on the nature of the described missing authorization flaw in a WordPress theme, a context that typically allows remote access when misconfigured. No additional exploitation conditions are specified in the dossier.