CVE-2025-66063

Vulnerability

Overview The WP Google Review Slider plugin for WordPress (versions up to and including 17.4) suffers from a missing authorization vulnerability. This flaw stems from improperly configured access control security levels, allowing an attacker to bypass intended restrictions and perform actions that should require higher privileges. [1]

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending crafted requests to the vulnerable plugin's functions that lack proper authorization checks. No special network position is required; the attack can be carried out remotely over the web. The vulnerability is categorized as a broken access control issue, common in mass-exploit campaigns targeting multiple WordPress sites. [1]

Impact

Successful exploitation could enable an attacker to perform unauthorized operations, such as modifying or deleting data, depending on the specific missing restrictions. While the CVSS score is 5.4 (medium), the actual impact may vary based on the privileges that can be gained. [1]

Mitigation

The vendor has released version 17.6 to address the vulnerability. Users are strongly advised to update to this version or later. Patchstack users can enable auto-updates for vulnerable plugins. As a temporary workaround, if immediate update is not possible, contacting a hosting provider or web developer for assistance is recommended. [1]