CVE-2025-66106
Description
Missing Authorization vulnerability in Essential Plugin Featured Post Creative featured-post-creative allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Post Creative: from n/a through <= 1.5.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in WordPress Featured Post Creative plugin <=1.5.5 allows unauthenticated attackers to exploit incorrectly configured access controls.
The vulnerability is a missing authorization (broken access control) in the Featured Post Creative plugin for WordPress, affecting versions up to and including 1.5.5. The plugin fails to properly enforce access control checks, allowing users to perform actions that should require higher privileges [1].
Exploitation does not require authentication, as the missing authorization check means any unauthenticated visitor can trigger the vulnerable functionality. This makes it suitable for mass exploitation campaigns targeting thousands of WordPress sites [1].
The impact is limited to low severity (CVSS 4.3) but could allow attackers to modify or access features intended for authorized users only. The exact actions possible depend on the specific missing check, but the vulnerability is classified as broken access control [1].
The vendor has released version 1.5.6 which fixes the issue. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If unable to update, consult a hosting provider or developer [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.5.5+ 1 more
- (no CPE)range: <=1.5.5
- (no CPE)range: <=1.5.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.