CVE-2025-66101

Vulnerability

Overview

CVE-2025-66101 is a missing authorization vulnerability in the WordPress plugin CBX Bookmark & Favorite (cbxwpbookmark), affecting versions from n/a through 2.0.1. The plugin fails to properly enforce access control checks, allowing exploitation of incorrectly configured security levels [1]. This broken access control issue means that certain functions lack necessary authorization or nonce token verification, enabling unprivileged users to perform actions that should be restricted [1].

Exploitation

The vulnerability can be exploited without authentication, as the missing authorization check does not require the attacker to have any special privileges. The attack surface is the WordPress admin interface or any frontend endpoint that relies on the plugin's access control. No user interaction is needed, and the attack complexity is low [1].

Impact

An unauthenticated attacker can bypass access controls, potentially modifying bookmarks, favorites, or other plugin data that should be protected. While the CVSS score is 4.3 (Medium), the vulnerability is considered low severity and unlikely to be exploited in mass campaigns, though it could be used in targeted attacks [1].

Mitigation

The vendor has released version 2.0.2 which fixes the issue. Users are strongly advised to update immediately. Patchstack users can enable auto-update for vulnerable plugins. If updating is not possible, consult a hosting provider or web developer for assistance [1].