The 8blocks 1003 Mortgage Application WordPress plugin contains a missing authorization flaw (CWE‑862) that permits users to invoke functions which should be restricted by access control lists. Because the internal boundaries are not enforced, an attacker can gain unauthorized privileges through the plugin’s API endpoints, potentially exposing sensitive data, altering mortgage calculations, or manipulating application workflows. The severity is reflected in a CVSS score of 7.5, indicating that the flaw can have a significant impact on confidentiality, integrity, and availability if exploited.

Affected by this flaw are installations of the 8blocks 1003 Mortgage Application plugin version 1.87 or earlier. Any WordPress site that has deployed a vulnerable plugin instance is susceptible until an update to a newer version is applied or the plugin is removed.

The EPSS score is below 1 %, suggesting that the likelihood of exploitation is presently low, and it is not currently listed in CISA’s KEV catalog. Nonetheless, the vulnerability can be triggered by an external actor through normal HTTP requests to the plugin’s endpoints, making it a remote web‑based attack vector. Given the high CVSS score, the potential damage is considerable, and the lack of existing mitigations on the server means the vulnerability is exploitable as long as the plugin remains active.