The vulnerability allows an attacker to change SmartCrawl plugin settings without proper authorization. The flaw is in the update_submodule() function where a capability check is omitted, enabling any authenticated user with Subscriber role or higher to modify configuration values. This could lead to configuration changes that affect SEO functionality, potentially redirecting traffic, changing meta data, or disrupting the site’s search engine visibility, thereby compromising integrity and visibility of the website.

This flaw exists in the SmartCrawl SEO checker, analyzer & optimizer WordPress plugin by WPMU DEV for all versions up to 3.14.3 inclusive. Users running any of those releases on their WordPress installations are impacted.

The CVSS score of 4.3 reflects a moderate impact with the attacker needing only authenticated access at the Subscriber level. EPSS indicates a very low exploitation probability (<1%), and the vulnerability is not listed in CISA’s KEV catalog. However, because the attacker only requires valid credentials and the flaw is straightforward to exploit via the plugin’s update endpoint, the risk remains non‑negligible for sites that permit many users with Subscriber or higher roles. Patch status is currently unknown, so the attack path is likely accessible via the plugin’s settings update interface.