The WP-CRM System plugin for WordPress contains a missing authorization check that allows authenticated users to invoke functions intended for higher‑privileged roles. This flaw, classified as CWE-862 Missing Authorization, permits an attacker with basic site access to view or modify customer data that should be restricted, potentially leading to disclosure or alteration of sensitive business information.

All WordPress installations that have the WP-CRM System plugin by Mario Peshev, any version from the first released build through 3.4.6 inclusive. These sites are vulnerable regardless of other plugins or theme configuration, with no additional platform constraints noted.

The CVSS score of 5.3 indicates moderate severity, while an EPSS score of less than 1 % suggests a low probability of exploitation at present. The flaw is not listed in CISA’s KEV catalog. Likely attack vector is web‑based: an attacker must first authenticate to the WordPress site, but the missing authorization check enables privilege escalation within the plugin. No publicly available exploit is documented, so attackers rely on credential compromise or brute‑force to gain initial access, then abuse the plugin’s privileged functions. Overall risk is moderate with low exploitation likelihood, making it a low‑to‑moderate priority but should be patched promptly.