The CVE describes an authentication bypass in the Emails Catch All plugin developed by Iulia Cazan that exploits the password‑recovery path. The flaw permits an unauthenticated user to trigger a password reset and then use the reset token to authenticate without knowing the original password. Based on the description, it is inferred that the attacker can obtain unrestricted administrative access to the WordPress site, enabling data theft, defacement, or further lateral movement.

All installations of the Emails Catch All plugin by Iulia Cazan from its first release through version 3.5.3 are vulnerable. Site owners should verify the plugin version and ensure it is newer than 3.5.3 or otherwise mitigate the risk.

The CVSS score of 8.8 classifies this as a high‑severity flaw, while the EPSS score of less than 1% indicates a currently low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack requires only access to the publicly exposed password‑reset form offered by the plugin, with no advanced techniques or additional privileges needed. Although widespread exploitation appears limited at present, the combination of a high CVSS rating and the absence of KEV status means that the risk remains significant for WordPress sites running the affected plugin.