CVE-2025-66113

Vulnerability

Overview

The Better Chat Support for Messenger plugin for WordPress, versions 1.2.18 and earlier, contains a missing authorization vulnerability. This issue arises from incorrectly configured access control security levels, allowing unprivileged users to execute functions that should require higher privileges. The vulnerability is classified as a broken access control problem, where a missing authorization, authentication, or nonce token check can lead to unauthorized actions [1].

Exploitation

To exploit this vulnerability, an attacker must be authenticated as a user with some level of access to the WordPress site. No special network position is required beyond being able to send HTTP requests to the vulnerable plugin's endpoints. The attack complexity is low, and the vulnerability can be triggered without any user interaction. The CVSS v3 base score is 5.3 (Medium), reflecting the moderate impact and ease of exploitation [1].

Impact

Successful exploitation allows an attacker to perform actions that should be restricted to higher-privileged users, such as administrators. This could include modifying plugin settings, accessing sensitive data, or performing other unauthorized operations. The vulnerability is noted to be used in mass-exploit campaigns, targeting thousands of websites regardless of their size or popularity [1].

Mitigation

The vendor has released version 1.2.19, which addresses the missing authorization issue. Users are strongly advised to update to this version or later. For those unable to update immediately, consulting with a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins to ensure timely patching [1].