CVE-2025-66124

Vulnerability

Overview The Leaky Paywall plugin for WordPress suffers from a missing authorization vulnerability (CVE-2025-66124) in versions up to 4.22.6. The issue lies in incorrectly configured access control security levels, which allows attackers to bypass intended restrictions. This broken access control flaw can be exploited without authentication, as the plugin fails to properly verify user capabilities before granting access to protected functions [1].

Exploitation

Attackers can leverage this vulnerability by sending crafted requests to the affected plugin endpoints. Since no authentication is required, any unauthenticated user can exploit the missing authorization check. The vulnerability is particularly dangerous because it can be chained with other attacks in mass-exploit campaigns, targeting thousands of websites simultaneously regardless of their size or traffic [1].

Impact

Successful exploitation allows an attacker to perform actions that should be restricted to higher-privileged users. In the context of a paywall plugin, this could mean bypassing payment restrictions or accessing premium content without authorization. The CVSS score of 5.3 (Medium) reflects the potential for significant impact without complex prerequisites [1].

Mitigation

The vendor has released version 5.0 or later to address the vulnerability. Users are strongly advised to update immediately. For those unable to update, implementing additional access controls or contacting their hosting provider for assistance is recommended. Patchstack users can enable auto-update for vulnerable plugins to streamline protection [1].