CVE-2025-66108

Vulnerability

The TNC Toolbox: Web Performance plugin for WordPress suffers from a missing authorization vulnerability in versions up to and including 2.0.4. The issue is rooted in incorrectly configured access control security levels, which fail to properly enforce permissions on certain functions or endpoints. This type of flaw is classified as a broken access control vulnerability, where no authorization, authentication, or nonce token check is present for a privileged action [1].

Exploitation

An attacker can exploit this vulnerability without needing any prior authentication or special network position, making it remotely exploitable. The lack of access control checks allows an unprivileged any user — including unauthenticated visitors — to trigger administrative-level functions or modify settings reserved for higher-privilege roles. The plugin is designed for WordPress, a popular content management system, and the attack vector is over the network via HTTP requests [1].

Impact

Successful exploitation could allow an attacker to perform actions that should require higher privileges, such as tampering with the plugin's configuration or accessing non-public data. The official CVSS score of 4.3 (Medium) reflects the limited direct impact, but the vendor notes that such vulnerabilities are used in mass-exploit campaigns targeting thousands of sites regardless of their size or popularity [1].

Mitigation

The vulnerability has been addressed in version 2.0.5 of the plugin. Users are strongly advised to update immediately. For those unable to update, contacting the hosting provider or a web developer is recommended to implement additional security measures. Patchstack users can enable auto-updates for vulnerable plugins [1].