CVE-2025-67468

The vulnerability is a missing authorization issue in the WordPress plugin 'Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms' (versions up to and including 1.4.6). The plugin fails to properly enforce access control checks on certain functions, meaning that actions intended for authenticated users with specific privileges can be triggered without proper authorization. This is a classic broken access control flaw where the software does not verify that the user has the required permissions before executing a sensitive operation [1].

Exploitation does not require authentication; an attacker can send specially crafted HTTP requests to the WordPress site to invoke the vulnerable functionality. The attack surface is the plugin's exposed endpoints, which are accessible to anyone who can reach the site. No special network position or prior knowledge is needed beyond the ability to interact with the WordPress installation [1].

The impact is that an unauthenticated attacker may be able to perform actions that should be restricted to administrators, such as modifying plugin settings, accessing or altering Salesforce integration data, or other privileged operations. The CVSS v3 base score of 4.3 (Medium) reflects the limited direct impact, but the vulnerability could be chained with other issues or used in automated attacks against multiple sites [1].

Mitigation is straightforward: update the plugin to version 1.4.7 or later, which includes the necessary authorization checks. The vendor (Patchstack) recommends enabling auto-updates for vulnerable plugins. Although the issue is rated as low severity and unlikely to be exploited in isolation, similar broken access control vulnerabilities are frequently targeted in mass-exploit campaigns, so applying the patch promptly is advised [1].