The CVE describes a Missing Authorization flaw in Mario Peshev’s WP-CRM System plugin that allows an attacker to exploit incorrectly configured access control security levels. The vulnerability can let an unauthenticated or low‑privilege user access, modify, or delete CRM data that should be protected. Because the flaw is related to access-level enforcement, any user who can reach the plugin’s HTTP endpoints may gain permission to perform actions that should be limited to higher‑privileged roles, potentially compromising confidentiality and integrity of customer records.

WordPress installations running the WP‑CRM System plugin by Mario Peshev with a version of 3.4.5 or earlier are affected. No specific WordPress core version is identified as having inherent weaknesses; the issue lies solely in the plugin’s implementation of access controls.

The CVSS score of 5.4 indicates a moderate severity, and the EPSS score of less than 1% shows a very low probability that it will be actively exploited in the wild. The vulnerability is not listed in CISA’s KEV catalog, suggesting it has not been observed in widespread exploit campaigns. Attackers can trigger the flaw by crafting HTTP requests to the plugin’s endpoints without legitimate authentication, or by using compromised credentials with insufficient privileges. Because the flaw arises from incorrect configuration of access levels, the barrier to exploitation is low from a technical standpoint, though the lack of public exploit evidence reduces current threat immediacy.