The Promolayer plugin for WordPress, which manages popups and abandonment prevention, contains a missing capability check (CWE-862) in the disconnect_promolayer function. This flaw allows authenticated users with low privileges (subscriber or higher) to perform unauthorized updates to plugin settings, specifically to remove the Promolayer connection. The vulnerability is present in all versions up to 1.1.0 and has a CVSS 3.1 base score of 4.3, reflecting a medium severity with low impact on confidentiality and availability but some impact on integrity.

An attacker with subscriber-level access or higher can exploit this vulnerability to remove the Promolayer connection by updating plugin settings without proper authorization. This could disrupt the intended functionality of the plugin but does not impact confidentiality or availability. There are no reports of exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict subscriber-level access where possible and monitor for unauthorized changes to plugin settings. Avoid granting unnecessary privileges to low-level authenticated users.