The Residential Address Detection plugin for WordPress contains a missing authorization check that allows unauthenticated or insufficiently privileged users to invoke actions that should be protected by access control lists. This flaw is a classic example of CWE‑862 (Missing Authorization). A compromised or malicious user could call privileged endpoints and potentially retrieve or modify sensitive address information or manipulate the plugin’s processing logic, thereby affecting confidentiality and integrity of address data hosted on the site.

WordPress installations that have EnitureTechnology Residential Address Detection plugin version 2.5.9 or any earlier release installed are affected. No narrower version ranges are specified beyond the upper bound of 2.5.9.

The CVSS base score of 5.3 indicates moderate severity. The EPSS score of less than 1% reflects a low likelihood of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via HTTP requests to the plugin’s endpoints; this is inferred because the description cites a missing authorization guard but does not specify a vector. A threat actor merely needs to be able to send requests to the WordPress site’s URLs that correspond to the plugin’s exposed functionality; no additional privileged user or user interaction is required.