The vulnerability is a missing authorization flaw in the WordPress plugin Small Package Quotes – Worldwide Express Edition. Incorrectly configured access control security levels allow a user to invoke plugin functionality that should be restricted. This can enable an attacker to read or modify data, execute privileged actions, or otherwise compromise the site’s integrity. The primary impact is unauthorized access to sensitive data or administrative functions within the plugin.

The flaw affects all installations of the Small Package Quotes – Worldwide Express Edition plugin from the earliest release up to and including version 5.2.19. Any WordPress site that has not upgraded beyond 5.2.19 is potentially vulnerable.

With a CVSS score of 6.5 the vulnerability is considered medium to high severity. The EPSS score of less than 1% indicates a very low probability of exploitation at present, and the flaw is not listed in CISA’s KEV catalog. The exploitation vector is likely a web request to the plugin’s endpoints, and an attacker may need some authenticated access to invoke the insecure function, though lower privileged users might still succeed if the plugin fails to enforce proper capability checks. The risk is heightened on sites with many users or where the plugin exposes configuration or rate‑pricing functions.