CVE-2025-66085

The Arconix Shortcodes plugin for WordPress (versions up to and including 2.1.18) contains a missing authorization vulnerability. This flaw stems from the plugin's failure to properly validate access control security levels, enabling unauthenticated or low-privileged users to execute actions that should require higher privileges [1].

The attack surface is broad as the vulnerability can be exploited without authentication. An attacker can send crafted requests to the affected plugin endpoints, bypassing intended access restrictions. The prerequisite is that the plugin is installed and active on a WordPress site; no special network position is required [1].

Successful exploitation allows an attacker to perform unauthorized actions, such as modifying shortcode configurations or accessing protected functionality. This could lead to content manipulation or information disclosure, depending on the plugin's features [1].

The vulnerability has been addressed in version 2.1.19. Users are strongly advised to update to this version or enable automatic updates for vulnerable plugins. Patchstack's advisory notes that while the severity is medium, the issue could be used in mass-exploit campaigns [1].