The vulnerability is a broken access control affecting subscriber data within the Omnisend Email Marketing for WooCommerce WordPress plugin versions 1.19.0 and earlier. As described, the flaw allows an attacker to bypass authentication controls for subscriber records, potentially enabling unauthorized reading or modification of subscriber information. The CVE description does not detail deletion or broader system privileges, so the impact is limited to subscriber data exposure or tampering.

The affected system is the WordPress plugin Omnisend Email Marketing for WooCommerce by Omnisend, any installation using version 1.19.0 or earlier. Site owners should verify the plugin version and update it if a vulnerable instance is found.

The CVSS base score of 5.4 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The flaw is a broken access control, so an attacker does not need administrative privileges but must reach the WordPress site and access the plugin’s subscriber API endpoints. Based on the description, the attack likely requires network connectivity to the site, and the exploit would be discoverable by anyone who can access the API. The potential impact includes unauthorized access to subscriber data, which may compromise user privacy and cause reputational damage.