The Advanced Form Integration plugin for WordPress, in versions up to 1.126.12, suffers from a broken access control flaw that allows users with insufficient privileges to read or modify subscriber data. The vulnerability arises because the plugin fails to enforce proper authorization checks on subscriber endpoints, resulting in a security weakness classified as CWE-862. As a consequence, an attacker who can interact with the plugin via the web interface may gain unauthorized access to personal subscriber information, potentially compromising privacy and data integrity.

WordPress sites that have installed the Advanced Form Integration plugin at version 1.126.12 or earlier. The vulnerability affects all environments where the plugin is active, regardless of the specific hosting configuration, as the plugin code is executed within the WordPress core environment.

The CVSS score of 6.5 indicates a moderate to high severity, while the EPSS score of less than 1% suggests that the likelihood of an exploit occurring in the wild is currently very low. The vulnerability is not listed in CISA’s KEV catalog, implying it has not been observed as part of known exploitation campaigns as of this assessment. Based on the description, the attack vector is inferred to be remote via the web interface; an attacker must be able to access the vulnerable plugin’s endpoints, typically by authenticating as a user with any role. Once authenticated, the lack of proper authorization checks allows the attacker to read or modify subscriber data.