The plugin lacks proper authorization checks that allow unauthorized users to exercise repeater field functionality. The flaw is a missing authorization issue, classified under CWE-862. If an attacker can invoke the plugin’s endpoints, they may create, modify, or delete repeater data, potentially injecting malicious content or corrupting site data and impacting confidentiality and integrity.

WordPress sites that have the Coding Panda Panda Pods Repeater Field plugin at version 1.5.12 or earlier are affected. Any installation using the vulnerable plugin, regardless of other plugins or themes, is potentially exposed. Versions newer than 1.5.12 have the issue resolved.

The vulnerability carries a CVSS score of 5.3, denoting moderate severity, while the EPSS score is below 1%, indicating that active exploitation is unlikely but not impossible. Attackers would need to exploit the absent access control at the plugin level, which typically requires authentication or a privileged user context. The risk level is moderate to low in typical workloads, but remediation should still be prioritized, as the flaw can lead to unauthorized content manipulation or code injection.