The Bridge Core plugin for WordPress suffers from a missing authorization (CWE-862) vulnerability in the 'import_action' and 'install_plugin_per_demo' functions in versions up to and including 3.3. This flaw allows authenticated users with low-level privileges (subscriber or above) to perform actions normally restricted to higher privilege roles, such as deleting or changing plugin settings, importing demo content, and installing limited plugins. The vulnerability has a CVSS 3.1 base score of 5.4, reflecting medium severity with network attack vector, low attack complexity, and privileges required at the low level.

An attacker with subscriber-level access can exploit this vulnerability to alter or delete plugin settings, import demo data, and install certain plugins without authorization. This can result in unauthorized configuration changes and potential loss of data or service disruption. There is no indication of confidentiality impact, but integrity and availability impacts are present.

Patch status is not yet confirmed — no official fix or patch links are currently available. Users should monitor the vendor's advisory for updates and apply any official patches once released. Until then, restrict subscriber-level access to trusted users only and consider disabling or limiting use of the affected plugin functions if possible.