CVE-2025-60166

Vulnerability

Overview

CVE-2025-60166 is a missing authorization vulnerability in the WP Subscription Forms PRO plugin for WordPress, affecting versions 2.0.5 and earlier. The plugin fails to properly validate access control security levels, allowing authenticated users with minimal privileges to delete arbitrary content, including posts, pages, and media files. This is due to incorrectly configured access control checks that do not enforce the intended authorization requirements for content deletion endpoints [1].

Attack

Vector

An attacker must have a valid WordPress user account, but can exploit this vulnerability without needing elevated administrative privileges. The plugin's AJAX actions or other delete endpoints lack sufficient capability checks, enabling any authenticated user to send crafted requests that trigger content deletion. No special network position is required, as the attack is performed over HTTP via the WordPress admin interface or frontend [1].

Impact

A successful exploit allows the attacker to delete arbitrary content from the target WordPress site. This can disrupt site operations, remove critical pages or posts, delete media files such as images, and generally deface or break the site. The vulnerability is particularly dangerous because it can be used in mass exploitation campaigns targeting thousands of WordPress sites simultaneously [1].

Mitigation

The vendor has released a patched version; users are strongly advised to update WP Subscription Forms PRO to the latest available version. As an immediate workaround, if updating is not possible, site administrators should disable the plugin or restrict access to its functionality via additional security controls. This vulnerability is listed in the Patchstack database as an arbitrary content deletion flaw, and active exploitation is likely given its inclusion in mass-exploit campaigns [1].