The Elastic Email Subscribe Form WordPress plugin contains a missing authorization check that allows users with incorrect access control configuration to exploit plugin features. This represents a broken access control vulnerability. An attacker could potentially use the plugin's exposed functionality to perform unauthorized actions such as adding subscribers, viewing subscription data, or modifying plugin configuration. The lack of proper authorization checks could lead to privacy leakage or unauthorized data manipulation. The vulnerability is classified as CWE‑862, indicating an authority bypass.

The vulnerability affects the Elastic Email Subscribe Form plugin for WordPress, specifically all versions from the earliest release through version 1.2.2. Users running any of these versions are at risk. The plugin is distributed by Elastic Email and is commonly installed on WordPress sites that provide email subscription services. The issue does not affect the core WordPress software itself, only the plugin.

The CVSS score is 5.4, placing the vulnerability in the medium severity range. The EPSS score is below 1%, indicating a very low probability of exploitation at the time of assessment. The vulnerability is not listed in CISA KEV. The attack vector is most likely via the plugin's exposed endpoints, which can be accessed by any authenticated user or, depending on configuration, even anonymous users. Because the plugin lacks proper access checks, an attacker can easily trigger the undesired behavior without needing elevated credentials. Consequently, while the risk is moderate, the potential impact could be significant if the plugin grants privileged actions.