CVE-2025-66122

Vulnerability

Overview The Stylish Price List WordPress plugin, versions up to and including 7.2.2, suffers from a Missing Authorization vulnerability. This is a broken access control issue where the plugin fails to properly enforce authorization, authentication, or nonce token checks in certain functions. Consequently, an unprivileged user can execute actions that should require higher privileges without proper permission validation [1].

## Exploitation & Attack Surface To exploit this vulnerability, an attacker needs network access to a WordPress site running the affected plugin version. Since the plugin omits necessary access control checks, no special user roles or authentication beyond basic server access may be required. The issue is classified as a "Broken Access Control" type, which can allow unauthenticated or lower-privileged users to perform privileged operations [1].

Impact

An attacker who successfully exploits this vulnerability can bypass intended security levels and perform actions that are normally restricted, such as modifying settings or accessing sensitive data. The CVSS score of 5.3 (Medium) reflects the moderate but real risk of unauthorized data exposure or functionality misuse [1].

Mitigation

Status The vulnerability has been addressed in version 7.2.3 of the plugin. The primary remediation is to update to 7.2.3 or later. For sites where immediate update is not possible, enabling auto-updates via Patchstack or contacting a hosting provider for assistance is recommended [1].