A missing authorization flaw in the Spreadconnect plugin lets anyone craft a request that bypasses the normal WordPress permission checks and perform actions the visitor should not be able to execute. The flaw can be leveraged to alter plugin settings or access sensitive data stored by the plugin, potentially leading to unauthorized data disclosure or integrity violations. The weakness is identified as CWE-862, a broken access control vulnerability.

WordPress installations that have the Spreadconnect plugin version 2.1.5 or earlier are affected. Attackers only need to target these sites to interact with the vulnerable plugin code. No vendor or operating system specific platform is required—any standard WordPress site running the affected plugin can be compromised.

The CVSS score of 5.4 classifies the vulnerability as moderate. The EPSS score is less than 1% indicating a low exploitation probability at the current time. The vulnerability is not listed in the CISA KEV catalog, so it is not known to be actively exploited in large-scale or targeted campaigns. However, because the flaw can be triggered remotely via HTTP requests without authentication, an attacker who knows the site’s URL and the plugin endpoints could potentially exploit the vulnerability using a simple web request. The impact is limited to the privileges of the user role that the attacker can impersonate through the flaw, but it could still lead to significant account takeover or site compromise if the plugin handles critical data.