This vulnerability is a missing authorization flaw that allows an attacker to bypass intended access controls within the WordPress WebToffee eCommerce Marketing Automation plugin. An unauthenticated or low‑privileged user could potentially access, view, or modify the plugin’s configuration settings, leading to unintended changes to marketing automation behavior. The weakness is categorized as CWE‑862 and carries a CVSS score of 4.3, indicating moderate severity.

The issue affects the WebToffee eCommerce Marketing Automation WordPress plugin, specifically the decorator‑woocommerce‑email‑customizer component, in all releases up to and including version 2.1.1. The vendor, WebToffee, has reported that the problem stems from incorrectly configured access‑control security levels, and the vulnerability does not appear in later releases.

With an EPSS score of less than 1 % and no listing in the CISA KEV catalog, the likelihood of exploitation in the wild is currently low; however, the moderate CVSS score suggests that once discovered an attacker could gain unauthorized access to plugin settings. The likely attack vector is through web requests to privileged administrative endpoints of the plugin; based on the description, the vulnerability can be exploited without need for elevated system privileges. Administrators should verify that only trusted users can access the plugin’s configuration interface.