The vulnerability is a missing authorization flaw inside the Constant Contact + WooCommerce plugin for WordPress. An attacker can send requests to plugin endpoints that are not properly protected, enabling them to perform actions that should be restricted to privileged users. The flaw allows unauthorized reading or modification of plugin data, potentially exposing customer information or altering e‑commerce behavior. This is a typical Access Control Robustness weakness identified as CWE‑862.

The flaw affects the Constant Contact + WooCommerce plugin for WordPress. All versions from the earliest release up through 2.4.1 are vulnerable. In particular, any installation running an affected version is susceptible. The plugin is installed within a WordPress site, and the vulnerability is present regardless of whether the site uses WooCommerce or not, as long as the plugin is active.

The vendor has assigned a CVSS score of 5.3, indicating moderate severity, and the EPSS score is below 1 %, implying a low likelihood of exploitation currently. The likely attack vector is web‑based, requiring an unauthenticated or minimally privileged web request to the plugin’s endpoint. Because the flaw allows unauthorized actions that could expose or manipulate sensitive data, the risk remains valid even though it is not listed in the CISA KEV catalog.