The vulnerability is a missing authorization flaw in Arraytics Booktics that allows exploitation by leveraging incorrectly configured access control security levels. Attackers can execute actions that should be restricted, such as creating, editing, deleting, or viewing book entries, without the necessary permissions. This results in potential data tampering, exposure of sensitive information, and possible privilege escalation within the WordPress environment. The flaw is identified as CWE‑862: Missing Authorization.

Any WordPress site that incorporates the Arraytics Booktics plugin version 1.0.16 or earlier is susceptible. Sites using a vulnerable plugin instance before the latest patch may permit unauthorized users to bypass normal role restrictions and gain control over book management features.

The CVSS base score of 5.3 indicates a moderate severity, while an EPSS score of less than 1% shows a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is inferred to involve sending crafted HTTP requests to the plugin’s endpoints, either as an authenticated user with low privileges or, if the plugin contains open endpoints, even as an unauthenticated user. No public exploit has been reported, and the repository does not disclose additional conditions, so the risk remains moderate and can be mitigated primarily by applying the vendor's patch.