CVE-2025-66099

CVE-2025-66099 is a missing authorization vulnerability in the WordPress Chat Help plugin by ThemeAtelier, affecting all versions up to and including 3.1.3. The root cause is a broken access control mechanism—specifically, a missing authorization or authentication check in a function that should require higher privileges. This allows unprivileged users to perform actions meant for higher-privileged roles [1].

To exploit this vulnerability, an attacker needs no authentication (or only low privileges) and can trigger the flaw over the network. The attack complexity is low, and no user interaction is required. The issue is classified as a broken access control vulnerability, which is commonly used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Successful exploitation grants an attacker the ability to perform actions that bypass the intended access control security levels, potentially leading to unauthorized data access, modification, or other privilege escalation scenarios. The CVSS v3 base score is 5.3 (Medium), with the impact being of low severity according to the advisory [1].

The vendor has released a fix in version 3.1.4. Users are strongly advised to update to 3.1.4 or later. Patchstack users can enable auto-updates for vulnerable plugins. If unable to update immediately, users should contact their hosting provider or web developer for assistance [1].