CVE-2025-66129

The Pochipp WordPress plugin versions through 1.18.0 contain a missing authorization vulnerability. This flaw stems from incorrectly configured access control security levels, which fail to properly validate user permissions when performing certain actions. As a result, users or processes can execute functions that should require higher privileges without proper authentication [1].

Attackers can exploit this vulnerability remotely without needing any authentication or user interaction. Given that WordPress plugins are often publicly accessible, an attacker can send crafted requests to trigger the missing access control. This vulnerability is particularly concerning because it is known to be used in mass-exploit campaigns, targeting thousands of websites regardless of their traffic or popularity [1].

Successful exploitation allows an unprivileged attacker to perform actions intended for higher-privileged users, such as modifying settings or accessing restricted data. While the CVSS score is 5.3 (Medium), the practical risk is elevated due to the ease of exploitation and the potential for automated attacks [1].

The vendor has released version 1.18.1, which addresses the issue by properly implementing authorization checks. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If an immediate update is not possible, consulting with a hosting provider or web developer for alternative mitigations is recommended [1].