The vulnerability is a missing authorization flaw that allows an attacker to access functionality that should be restricted. By exploiting incorrectly configured access control security levels within the WordPress “Questionar for Elementor” plugin, an attacker could potentially read, modify, or delete data handled by the plugin, including form entries or survey results. This can compromise confidentiality and integrity of content presented to site visitors. The likely attack vector is through the web interface of the plugin, though the exact method is inferred rather than directly stated.

The security flaw affects the WordPress “Questionar for Elementor” plugin released by merkulove, specifically all versions through 1.1.7. Any WordPress site that has installed this plugin before the 1.1.8 release is potentially susceptible. The plugin runs on the standard WordPress platform, so any WordPress installation hosting it is impacted.

The CVSS score of 5.4 indicates moderate severity. The EPSS score of less than 1% suggests that the probability of this flaw being actively exploited is low at the moment, and the flaw is not listed in the CISA KEV catalog. The vulnerability is a missing authorization bug and would most likely be exploited through the web interface of the plugin by an authenticated or unauthenticated user, depending on how the access control is misconfigured. Because the flaw allows unauthorized users to gain elevated privileges within the plugin, the threat level is moderate but warrants prompt assessment.