The vulnerability is a missing authorization flaw in the Cool Plugins Elementor Contact Form DB plugin. Because the plugin does not enforce proper access control, users can exploit incorrectly configured security levels, gaining access to actions and data that should be reserved for privileged users. The primary consequence is unauthorized data exposure or modification, which undermines confidentiality, integrity, and potentially availability of the site’s content if the plugin handles event logs or system settings.

WordPress sites that have installed Cool Plugins Elementor Contact Form DB version 2.1.3 or older are impacted. The affected product is the plugin named Elementor Contact Form DB, distributed by Cool Plugins. No specific WordPress core or PHP version compatibility constraints are listed, so any site running the plugin within the stated version range is at risk.

The CVSS score of 5.3 classifies the issue as moderate, indicating that while exploitation is not trivial, it can provide significant privileges to attackers. The EPSS score of less than 1% suggests that active exploitation in the wild is currently rare, and the vulnerability is not included in CISA’s Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector is through authenticated access: an attacker with the ability to log into the WordPress backend—potentially a low-privileged user—could exploit the flaw to elevate privileges or leak sensitive information. If the plugin is misconfigured to allow public access to management pages, the risk could extend to unauthenticated users.