The Permalink Manager Lite plugin for WordPress suffers from a missing authorization vulnerability (CWE-862) in all versions up to 2.4.4. Specifically, the plugin fails to enforce capability checks on the 'debug_data', 'debug_query', and 'debug_redirect' functions, enabling unauthenticated attackers to retrieve sensitive information including passwords and content from password-protected posts. The CVSS 3.1 base score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and limited confidentiality impact. No patch or vendor advisory is currently available, and no known exploits have been reported.

An unauthenticated attacker can exploit this vulnerability to access sensitive data such as passwords and content of password-protected posts within affected WordPress sites using the Permalink Manager Lite plugin. This compromises confidentiality but does not affect integrity or availability. The medium CVSS score reflects the potential for data exposure without requiring authentication or user interaction.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider disabling or removing the Permalink Manager Lite plugin if sensitive data exposure is a concern. Monitor vendor channels for updates and apply patches promptly once available.