CVE-2025-66120

Vulnerability

Type and Root Cause

CatFolders 2.5.3 and earlier for WordPress suffers from a Missing Authorization vulnerability (CWE-862) [1]. The plugin fails to properly enforce access control checks on certain functions, meaning that privileged actions can be triggered by unprivileged users due to the absence of required authorization or nonce token verification [1]. This is a classic broken access control issue.

Attack

Surface and Exploitation

This vulnerability is exploitable without any authentication or special network position; any visitor to a site running the vulnerable plugin can potentially trigger the missing authorization flaw [1]. The issue affects all installations of CatFolders up to and including version 2.5.3, and the simplicity of exploitation makes it suitable for mass campaigns targeting many websites simultaneously [1].

Impact

An attacker exploiting this flaw can perform actions that should be restricted to higher-privileged users (e.g., administrators), such as modifying folder structures or accessing protected content, depending on the missing authorization point [1]. While the vendor rates the severity as medium (CVSS 5.3), the real-world risk is elevated by the potential for automated, broad exploitation.

Mitigation

The vulnerability was patched in CatFolders version 2.5.4 [1]. Users are strongly advised to update immediately. Sites that cannot update should contact their hosting provider or web developer for assistance; auto-update mechanisms (such as Patchstack) can also be enabled to protect vulnerable plugins [1].