CVE-2025-66121

The SiteGround Security plugin for WordPress versions up to 1.5.8 contains a Missing Authorization vulnerability. This issue stems from incorrectly configured access control security levels, which allow attackers to bypass authorization checks without proper authentication or nonce token validation [1].

Exploitation requires no special privileges and can be performed remotely without authentication, making it an attractive target for mass exploitation campaigns [1]. The vulnerability's low attack complexity and network-based vector enable attackers to target thousands of websites simultaneously, regardless of site size or traffic volume [1].

Successful exploitation grants unprivileged users the ability to execute higher-privileged actions that should be restricted, effectively breaking the intended permission model. While the CVSS base score is 5.3 (Medium), the actual impact in WordPress environments may differ from traditional scoring [1].

SiteGround has released version 1.5.9 of the plugin to patch this vulnerability. Users are strongly advised to update immediately or enable automatic updates for vulnerable plugins via Patchstack. Those unable to update should consult their hosting provider or web developer for assistance [1].