A broken access control flaw in the Elastic Email Sender WordPress plugin allows an attacker to perform operations that normally require higher privileges. The vulnerability is classified as CWE‑862 and can potentially enable unauthorized users to manipulate email-sending functions or access sensitive configuration data. The exact scope of the impact depends on the plugin’s features, but it may permit unintended data exposure or service abuse within the affected WordPress installation.

The flaw affects the Elastic Email Sender plugin for WordPress versions from the first release up to version 1.2.20. Any WordPress site installing or running these plugin versions is at risk.

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% signals a very low exploitation probability at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, exploitation would likely involve sending specially crafted requests to the plugin’s protected endpoints; the access control checks that normally restrict these actions are bypassed, allowing an attacker who can reach the plugin interface to perform unauthorized operations. No public exploit is known, and no additional prerequisites are documented beyond the ability to interact with the WordPress plugin API.