The flaw is a missing authorization check that allows users without proper privileges to perform actions normally reserved for administrators. An attacker can access and manipulate configuration or data within WooCommerce Shop Page Builder, potentially leading to unauthorized data disclosure, alteration, or deletion in the e‑commerce environment. The weakness is classified as CWE-862 and does not provide remote code execution or denial of service but can impact confidentiality, integrity, and availability within the affected site.

ZoomIt’s WooCommerce Shop Page Builder plugin, all releases up to and including version 2.27.7, is affected by this missing authorization flaw.

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of < 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves submitting crafted web requests to the WordPress admin interface, exploiting the absence of proper authorization checks to trigger privileged functionality. Because exploitation requires reaching the admin interface, the risk is confined to sites where the plugin is active and administrative access paths are available.