The vulnerability is a missing authorization flaw in the Contact Form by BestWebSoft WordPress plugin, allowing attackers to bypass the intended access control and exploit incorrectly configured security levels. This flaw can enable an unauthenticated or minimally privileged user to perform actions normally restricted to administrators, such as modifying form settings, retrieving data, or manipulating submission handling. The impact is primarily integrity and confidentiality of any data processed by the form and could lead to broader compromise if the plugin’s functions are leveraged to carry out additional attacks.

The affected product is the Contact Form by BestWebSoft plugin for WordPress, from the earliest version through version 4.3.6. All installations of this plugin within that range are vulnerable.

The CVSS score of 4.3 indicates a moderate risk, while the EPSS score of less than 1% suggests a very low probability of exploitation. The plugin is not listed in the CISA KEV catalog. The likely attack vector is through the WordPress admin interface or by interacting with exposed plugin endpoints; however, the specific conditions required for exploitation are not detailed in the data, so the exact attack pathway remains inferred.