The vulnerability resides in the Filter Plus WordPress plugin version 1.1.17 and earlier, where a missing authorization check permits an attacker to exploit incorrectly configured access control levels. This flaw allows unauthorized users to perform actions or view content that should be restricted, representing a classic broken access control weakness. The attack could undermine confidentiality and integrity of the site by enabling manipulation of filter settings or other privileged operations. The weakness is classified as CWE-862, "Broken Access Control."

The affected product is the Wpbens Filter Plus WordPress plugin, referred to as "Filter Plus." All releases up to and including version 1.1.17 are vulnerable, including any earlier versions in the product line. Users of this plugin on any WordPress installation must verify their current version and apply the necessary update.

The CVSS score of 5.4 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. This vulnerability is not listed in the CISA Known Exploit Vulnerabilities catalog. Based on the description, the likely attack vector is internal to the WordPress installation: an attacker with read/write access to the site’s database or a role with legitimate privileges can manipulate access control settings, while a non‑authenticated user may exploit improperly configured settings if the plugin exposes administrative endpoints. No additional prerequisites beyond a functioning WordPress site with the vulnerable plugin are required.