Missing authorization controls in WP Sunshine Photo Cart versions up to 3.6.7 allow an attacker to bypass intended security restrictions and potentially modify or access information that should be restricted. The flaw stems from incorrectly configured access control levels, resulting in a CWE-862 weakness that can expose sensitive data or alter the state of the plugin without proper user permissions.

The vulnerability affects all instances of the WP Sunshine Photo Cart plugin with versions from the earliest released build up through 3.6.7. Site administrators should verify the installed plugin version and ensure it lies outside this affected range.

The CVSS score of 6.3 indicates a moderate severity, and the lack of an EPSS score means the current exploitation probability is unknown. The flaw is not listed in the CISA KEV catalog, suggesting no known high-profile exploitation. Attackers are likely to exploit this via crafted HTTP requests targeting plugin endpoints, especially when the site's access control configuration is misaligned. Since the issue is a broken access control, no local user privilege escalation or remote code execution is explicitly reported, but the ability to access privileged operations could lead to further damage.