CVSS severity scores have long been noted by the security industry to not be a reliable measure of the severity of vulnerabilities, and this vulnerability is a good example of that.
With this vulnerability, the attacker would have to have a level of access an untrusted individual rarely would have. So the risk posed by the vulnerability is rather low. The idea that a vulnerability unlikely to be exploited would have almost the highest severity doesn’t make sense.
Or to put it another way, if the vulnerability was exploitable by someone not logged in, it would certainly be widely exploited, but the severity score could increase to 10 from 9.9.
It would help if WordPress security providers stuck to more accurate severity measurements to avoid overstating the risks of vulnerabilities and unnecessarily scaring the WordPress community.
Also, what is the source for the claimed install count of this plugin?
