This vulnerability is a missing authorization flaw in the Rapid Car Check Vehicle Data WordPress plugin that allows unauthorized users to access or manipulate vehicle data. Because the plugin fails to enforce proper access control, attackers could read or modify data stored by the plugin. The weakness corresponds to CWE‑862, which represents a broken access control that can lead to data exposure or integrity violations.

The flaw affects the Rapid Car Check Vehicle Data plugin for WordPress, specifically all versions up through 2.0. The plugin is distributed as the free‑vehicle‑data‑uk package. Any WordPress installation running this plugin prior to version 2.1 is potentially vulnerable.

The CVSS base score of 5.3 indicates a moderate severity. The EPSS score of less than 1% suggests that this vulnerability is unlikely to be widely exploited at present. It is not listed in the CISA KEV catalog. Attackers would need to supply the correct conditions to bypass the plugin’s authorization checks, which implies that the attack vector is likely through authenticated use of the plugin’s interface, or potentially via a misconfigured role with extra permissions. While the vulnerability does not grant execution privileges, it does allow unauthorized read/write access to vehicle records, potentially compromising confidentiality and integrity of that data.