A missing authorization check in Smackcoders Inc.’s Lead Form Data Collection to CRM plugin allows an attacker to update arbitrary options in the WordPress database. By manipulating option values, a user can elevate privileges, potentially gaining administrative capabilities on the site. This flaw is classified as CWE‑862, indicating improper restriction of an authenticated user’s access to privileged operations.

The vulnerability affects the Lead Form Data Collection to CRM plugin distributed by Smackcoders Inc. Versions from n/a through 3.1 are impacted. All WordPress installations using this plugin in any of those releases are thus at risk.

The CVSS score of 8.8 signals a high-severity vulnerability. Though the EPSS score is below 1%, indicating low probability of exploitation currently, the flaw remains unlisted in the CISA KEV catalog, meaning no known widespread exploitation is documented. Based on the description, it is inferred that the attack vector requires a logged-in user who can interact with the plugin’s option-update endpoint; there is no evidence of remote code execution or requirement for user interaction beyond normal usage. The lack of requirement for elevated roles or additional credentials lowers the barrier for an attacker with basic account access to gain administrative rights.