The vulnerability is a missing authorization flaw that allows attackers to bypass access control checks within the ELEX WooCommerce Request a Quote plugin. Because the plugin misconfigures its security levels, an unauthorized user could invoke functions intended only for privileged users, potentially creating or modifying quote requests and accessing sensitive customer details. This flaw is classified as CWE‑862 and can impact both the confidentiality and integrity of the data handled by the plugin.

This issue affects the WordPress plugin ELEX WooCommerce Request a Quote from any unreleased version through 2.3.9. Site owners who have installed the plugin within that range are potentially exposed. The vulnerability is tied to the plugin’s integration with WooCommerce and WordPress; any site using these components and hosting the plugin is at risk.

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The plugin is accessible via the web interface, so the attack vector is likely remote over HTTP. Although no official usage pattern is described, an attacker could exploit the flaw by crafting requests that target the plugin’s endpoints without proper authentication. The vulnerability is not listed in CISA’s KEV catalog, but site operators should still consider the modest risk and mitigate promptly.