The vulnerability in WPComplete versions up to 2.9.5.5 is a broken access control flaw affecting subscriber-level permissions. An attacker with access to the site could potentially bypass subscriber restrictions to view or modify content and settings beyond the intended level, leading to data leakage or unauthorized configuration changes. The flaw is tracked as CWE-862, which specifically addresses improper restriction of operations to authorized users. The stated CVSS score of 5.4 indicates moderate severity, reflecting the potential impact on data confidentiality and integrity if exploited.

The affected product is the WordPress WPComplete plugin deployed by Nexcess. All installed instances of WPComplete version 2.9.5.5 or earlier are vulnerable, while versions 2.9.5.6 and above contain the fix. Administrators should verify that no legacy versions remain in use on any WordPress installation through the plugin manager.

The CVSS score of 5.4 signals a moderate risk, while the EPSS score is currently unavailable, so the exploitation probability is unknown. Because the vulnerability resides in a widely used WordPress plugin, an attacker could exploit it by simply accessing the site's front‑end or back‑end if they can authenticate or trick a user into acting. The plugin’s default role assignments are the likely entry point for exploitation. The CVE is not listed in the CISA KEV catalog, suggesting that a public exploit attack is not yet widespread, but the risk remains for any site still running an affected version.