The vulnerability allows an authenticated user with Author‑level or higher privileges to alter or reset widget settings across the site. Because the plugin fails to perform capability checks in its save_widget() and reset_all_widgets() routines, attackers can modify site appearance and functionality without authorization, an instance of the missing authorization flaw noted as CWE‑862. The impacted data is configuration parameters, not code, so this flaw permits tampering but not arbitrary code execution or data exfiltration.

This flaw applies to the RTMKit Addons plugin for WordPress, version 2.0.2 and earlier. The plugin is distributed under the rometheme vendor. Sites running these versions may be compromised if an attacker obtains or already has Author role or higher within the WordPress installation.

The CVSS base score is 4.3, indicating moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation may not yet be observed. However, the attack requires only an authenticated session with Author privileges, a role commonly granted to content contributors. Based on the description, the attack vector is authenticated. Once authenticated, an attacker can immediately modify or wipe widgets without further privilege escalation, making the risk significant for sites relying on these widgets for critical content.