The vulnerability is a missing authorization issue that allows attackers who can reach the plugin’s endpoints to perform actions without proper permission. This can lead to unauthorized access to CRM data, enabling data leakage or manipulation. The underlying weakness is correctly identified as CWE‑862, meaning the software fails to enforce access controls for certain operations.

The affected product is the Privyr CRM Integration plugin published by Shivam Mani Tripathi. Versions from the earliest release up through 1.0.2 are vulnerable; no specific version prior to 1.0.2 has been verified as safe, so any installation with a version <= 1.0.2 should be considered at risk.

The CVSS score of 5.4 indicates a moderate severity. The EPSS value of less than 1% suggests that, as of the last assessment, exploitation is unlikely, and it is not listed in the CISA KEV catalog, meaning no widespread attacks are documented. However, because the flaw is a broken access control, an attacker who can reach the vulnerable URLs could potentially bypass normal permission checks. The likely attack vector is through web requests to the plugin’s API endpoints; based on the description, it is inferred that attackers must be able to reach those URLs via the web, so exposure is limited to premises that allow traffic to the WordPress site.