The WP Subscription Forms plugin suffers from a missing authorization flaw, allowing attackers to bypass security settings that should limit access to certain interfaces or functions. This weakness, classified as CWE‑862, can lead to unauthorized viewing or manipulation of submission data, potentially exposing user information or allowing unwanted configuration changes. The impact is a loss of confidentiality and integrity for any data handled through the subscription forms.

Affected users run WP Shuffle’s WP Subscription Forms plugin, versions from the earliest release up to and including 1.2.3. All installations running these versions, regardless of the WordPress core version, are vulnerable if the default or custom access control settings are misconfigured. Sites that have not yet upgraded remain at risk.

The CVSS score of 5.4 indicates a moderate risk level. The EPSS score of less than 1% suggests a low probability of exploitation at this time, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation would likely require that the attacker has some level of site access, such as a legitimate user account with elevated privileges, or that an attacker can manipulate the plugin’s configuration. The attack vector is inferred to be via administrative or user‑facing interfaces where access levels are incorrectly enforced.