CVE-2025-66072

Vulnerability

Overview The vulnerability is a missing authorization check in the UsersWP plugin for WordPress, affecting versions up to and including 1.2.47. This allows exploitation of incorrectly configured access control security levels, enabling unprivileged users to execute actions that should be restricted to higher-privileged roles [1].

Exploitation and

Attack Surface An attacker does not need special authentication to exploit this flaw; any unprivileged user can trigger the missing authorization. The attack surface is broad due to the plugin's widespread use, making it suitable for mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

Impact

Successful exploitation lets an attacker perform actions reserved for administrators or other privileged roles, potentially leading to data exposure, content manipulation, or further compromise of the WordPress site. Despite a CVSS score of 5.3 (Medium), the risk is elevated by the ease of exploitation and the plugin's popularity [1].

Mitigation

The vulnerability is addressed in version 1.2.48 of UsersWP. Users are strongly advised to update the plugin immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-update for vulnerable plugins [1].