CVE-2025-66130

Analysis

The WP Views Counter plugin for WordPress (versions up to and including 2.1.2) contains a missing authorization vulnerability. This issue arises from incorrectly configured access control security levels, meaning that certain functions or endpoints do not properly verify user permissions before allowing access [1]. The root cause is a lack of necessary checks for authentication or nonce tokens, enabling unprivileged users to execute actions that should be restricted to higher-privileged roles.

Exploitation

Attackers can exploit this flaw without needing prior authentication or special privileges. The vulnerability is of particular concern because it is reported to be used in mass-exploit campaigns that target thousands of WordPress sites indiscriminately, regardless of size or popularity [1]. The CVSS score (5.3, Medium) reflects a moderate risk, but the ease of exploitation and potential for automated attacks significantly raise the practical threat level.

Impact

Successful exploitation allows an attacker to perform unauthorized actions, such as modifying plugin settings or accessing protected data, depending on the specific functions that lack authorization. The impact may include data exposure or unintended configuration changes, though the vendor assesses the severity as low for individual site compromise [1].

Mitigation

The vulnerability is fixed in version 2.1.3. Users are strongly advised to update immediately. If updating is not possible, site owners should contact their hosting provider or developer for assistance. Patchstack users can enable auto-updates for vulnerable plugins. No workaround is detailed, so updating is the recommended action [1].