The vulnerability stems from missing authorization checks in the Mulika Team MIPL WC Multisite Sync WordPress plugin. Because the plugin does not enforce the correct security levels, users who should not have special privileges can perform actions normally reserved for higher‑level users. This flaw allows an attacker to read or modify data that normally belongs to other sites or administrators, potentially leading to data leakage or corruption. The weakness maps to CWE‑862, which indicates improper authorization controls.

The issue affects the MIPL WC Multisite Sync plugin from Mulika Team, versions up to and including 1.4.4. Versions earlier than 1.4.4 may also be impacted, but an exact lower bound is not documented. All installations of the plugin on WordPress sites that do not enforce strict access control are vulnerable.

The score indicates moderate severity (CVSS 5.3) and a low probability of exploitation (EPSS < 1 %). The plugin operates within a web application context, so an attacker could potentially trigger the flaw via an HTTP request to a plugin endpoint, likely without requiring local privileges. Because the flaw is not listed in the CISA KEV catalog, there is currently no evidence of widespread active exploitation. Nonetheless, the nature of the flaw allows unauthorized access to sensitive content, making it a clear target for attackers looking to elevate privileges or exfiltrate data.