The vulnerability is a missing authorization flaw that allows attackers to bypass normal access controls when interacting with the iPOSpays Gateways WC plugin. An attacker can exploit the incorrectly configured security levels to perform actions that should be restricted, potentially exposing sensitive data or modifying configurations without proper permission. This weakness is categorized as a broken access control (CWE‑862) and can undermine the confidentiality, integrity, and availability of the WordPress installation. The description states only that authorization checks are missing; no additional exploitation details are provided.

The affected system is the iPOSpays Gateways WC plugin for WordPress, specifically all releases from the earliest available version up to and including 1.3.7. No further version granularity is supplied in the listed data. Users running any of these versions are potentially exposed until a remediation applied.

The CVSS score is not disclosed in the provided material, and the EPSS score is unavailable, leaving the precise likelihood of exploitation unclear. However, the nature of an unauthenticated or improperly authenticated access control flaw suggests a high potential impact if an attacker can obtain or assume privileges within the WordPress environment. The vulnerability is not yet noted in the CISA KEV catalog. The likely attack vector is through the web interface of the plugin, where an attacker may exploit the lack of authorization checks via crafted requests or by creating a user account that achieves elevated privileges. The risk remains significant until the plugin is updated to a version that resolves the issue.