BuddyForms for WordPress suffers a CWE-862 missing authorization flaw that lets users access functionality that should be constrained by access control lists. The flaw allows accessing capabilities not properly limited, potentially enabling unauthorized manipulation or retrieval of data that should be restricted to higher‑privilege users. The description does not explicitly state whether the attacker must be authenticated or possess certain privileges; it is inferred that some level of authenticated access may be required, which is a common pattern for missing authorization issues.

WordPress sites running the Themekraft BuddyForms plugin version 2.9.0 or earlier are affected. The plugin’s older releases lack proper ACL checks, allowing any authenticated user to invoke restricted operations. Sites that have upgraded beyond 2.9.0 are not vulnerable.

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of < 1% shows a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. This is a missing authorization issue, so it is likely that the attacker needs some level of authentication to exploit the flaw, but the description does not specify the required privilege level; this inference is based on common patterns for such vulnerabilities.