Impact
Unauthenticated Broken Access Control in the ez Form Calculator Premium plugin allows attackers who do not possess valid credentials to bypass normal permission checks and gain elevated privileges within the plugin. This could enable malicious users to create, modify, or delete forms, read sensitive submission data, or otherwise manipulate the plugin’s functionality without authorization. The weakness is classified as CWE‑862.
Affected Systems
Vendor Keksdieb’s ez Form Calculator Premium plugin, versions up to and including 2.14.1.2, is affected. Any WordPress installation that has these plugin versions deployed is exposed.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate severity vulnerability. The EPSS score is not available, so the exploitation likelihood cannot be quantified, and the vulnerability is not listed in CISA KEV. The attack vector is inferred to be over the network by sending crafted HTTP requests to the plugin’s administration or API endpoints, as the plugin is accessed via the web interface and no authentication is required to exploit the access control flaw.
OpenCVE Enrichment