The WP Frontend Profile plugin (versions up to 1.3.9) contains a missing authorization flaw that lets attackers bypass the plugin’s access control checks. When exploited, a user without sufficient privileges can gain unauthorized access to protected areas of the WordPress site, potentially reading or modifying sensitive user data. The weakness is classified as CWE-862, indicating an incorrect authorization mechanism.

The vulnerability affects the Glowlogix WP Frontend Profile plugin released for WordPress. All installations using version 1.3.9 or earlier are vulnerable. No other product versions are specified as affected in the public disclosure.

The CVSS score of 5.3 highlights a medium severity risk. The EPSS score is less than 1%, suggesting the likelihood of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. The active attack vector is likely a web-based request that a site administrator or privileged user could run, though the description does not explicitly state remote code execution or other advanced capabilities; the inferred attack scenario involves unauthenticated or low-privilege users sending crafted requests to obtain elevated access. Because of the moderate CVSS rating and low EPSS, the risk is considered moderate, but patching is recommended to eliminate the access control bypass.