The Geo Controller plugin for WordPress suffers from a missing authorization vulnerability (CWE-862) in its ajax__geolocate_menu and ajax__geolocate_remove_menu functions. This flaw permits authenticated users with low-level privileges (Subscriber and above) to create or delete WordPress menus, actions normally restricted to higher privilege roles. The vulnerability affects all versions up to and including 8.7.3. The CVSS 3.1 base score is 4.3 (medium), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality or availability impact, and limited integrity impact. No patch or official remediation guidance is currently available.

An attacker with at least Subscriber-level access can manipulate WordPress menus by creating or deleting them without proper authorization. This could lead to unauthorized changes in site navigation or user interface elements, potentially confusing users or facilitating further attacks that rely on altered menus. There is no direct impact on data confidentiality or system availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict Subscriber-level user capabilities where possible and monitor for unauthorized menu changes. Avoid granting Subscriber or higher privileges to untrusted users.