A missing authorization flaw in the WPFactory CRM ERP Business Solution plugin allows attackers to bypass configured security levels, giving them unauthorized access to the plugin’s functionality and data. This broken access control weakness is identified as CWE-862. The impact is that a threat actor can perform operations or read information that should be restricted, potentially leading to data exposure or manipulation within the WordPress site.

The vulnerability affects the WPFactory CRM ERP Business Solution WordPress plugin for all releases from the earliest version through version 1.13. Sites that have any of these releases installed are susceptible; updating to a version beyond 1.13 removes the flaw.

The CVSS score of 5.3 indicates medium severity, while the EPSS score of less than 1% shows a very low probability of exploitation at the time of analysis. The issue is not listed in CISA KEV, suggesting it is not a known exploited vulnerability in the wild. Based on the description, it is inferred that the likely attack vector is remote via the WordPress web interface that hosts the plugin, assuming no additional authentication or role restrictions are properly enforced. Due to the lack of a known public exploit, the risk remains moderate, but the availability of a fix warrants attention.