Missing Authorization in the WP-CRM System plugin allows a user to invoke operations that are not properly constrained by access control lists. This flaw enables an attacker who can reach the plugin’s functions to perform actions intended only for privileged users, potentially exposing sensitive customer data or manipulating the CRM. The weakness is a classic example of improper authorization (CWE‑862).

The vulnerability affects the WordPress WP‑CRM System plugin developed by Mario Peshev. All released versions from the earliest available through version 3.4.2 are impacted. Users running the plugin on any WordPress installation should assume the plugin is vulnerable until updated to a later version that fixes the authorization check.

The CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1% shows the likelihood of public exploitation is very low, and the vulnerability is not listed in the CISA KEV catalog. However, because the flaw allows privileged actions to be performed by any authenticated or potentially unauthenticated user, an attacker could exploit it with minimal effort if the plugin is publicly accessible. The likely attack vector is remote, via the web interface, and would require the attacker to convince a user to visit a crafted URL or send a direct HTTP request to the plugin’s endpoints. Official mitigation is to apply a patch; no workaround is documented. Given the low exploitation probability, monitoring is recommended until a patch is confirmed, but administrators should update immediately to eliminate the authority bypass.