This vulnerability in PublishPress Capabilities arises from missing authorization controls in the capability-manager-enhanced component. It affects versions up to and including 2.31.0. The issue allows users with low privileges to bypass intended access restrictions due to incorrectly configured access control security levels. The CVSS 3.1 base score is 4.3, reflecting a network attack vector with low complexity and requiring low privileges, resulting in limited confidentiality impact without integrity or availability effects.

The impact is limited to potential unauthorized access to certain capability management functions, which could lead to limited information disclosure. There is no indication of integrity or availability compromise. No known exploits are reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, review and tighten access control configurations in PublishPress Capabilities to limit exposure. Monitor for vendor updates addressing this vulnerability.