The plugin suffers from an unauthenticated Insecure Direct Object Reference flaw that allows attackers to manipulate or guess identifiers for protected objects, thereby accessing sensitive license data or making unauthorized changes. The weakness is classified as CWE‑639. Based on the description, the likely attack vector is modifying URL parameters or query strings that reference license identifiers, with no authentication required. The CVSS score of 6.5 indicates moderate severity, and the vulnerability is not listed in CISA’s KEV catalog.

The affected product is the myCred License Manager for WooCommerce plugin for WordPress, with versions up to and including 3.0.15. Users running these versions are susceptible to the IDOR issue.

The absence of an EPSS value means that the exploitation probability is currently unknown, yet the moderate CVSS indicates a meaningful risk. Attackers can exploit this flaw by simply adjusting URLs or API calls that target protected license resources, without needing any credentials. Successful exploitation can compromise data confidentiality, integrity, and potentially enable further malicious actions within the WordPress site.