The vulnerability is a missing authorization flaw in the bPlugins 3D viewer – Embed 3D Models plugin for WordPress, affecting all releases through version 1.8.5. This broken access control flaw allows an attacker to access plugin features without proper authorization, potentially exposing sensitive data or allowing further exploitation. The weakness is classified as CWE‑862, which indicates that the system fails to enforce security rules for user actions.

WordPress sites that have the bPlugins 3D viewer – Embed 3D Models plugin installed, with versions ranging from unspecified minimum through 1.8.5. The affected component is the plugin’s 3d‑viewer part, which is part of the bPlugins vendor suite.

Because the CVSS score is not provided and EPSS data are unavailable, the exact severity cannot be quantified; however, a broken access control gap is considered high risk as it can enable unauthorized access to functionality and sensitive content. The likely attack vector is via the plugin’s administrative interface or exposed endpoints, whereby an authenticated user with limited privileges may gain elevated access or the plugin may expose internal data to any user. No manufacturer repair or workaround is listed, and the vulnerability is not recorded as a known exploited vulnerability in the CISA KEV catalog. Consequently, the risk remains substantial until a vendor patch or functional replacement is deployed.