CVE-2025-66134

Vulnerability

Overview

The FileBird Pro WordPress plugin by NinjaTeam contains a missing authorization vulnerability (broken access control) in versions up to and including 6.5.1. The root cause is an incorrectly configured access control security level, which allows functions to be executed without proper authentication or nonce checks [1].

Exploitation

An unauthenticated attacker can exploit this flaw remotely without needing any special privileges. By sending crafted requests, the attacker can trigger privileged actions that normally require higher-level permissions. The vulnerability is of particular concern because such broken access control issues are often used in mass-exploit campaigns targeting thousands of WordPress sites regardless of their size or popularity [1].

Impact

Successful exploitation could allow an attacker to perform unauthorized actions that compromise the site's security. The CVSS v3 score of 5.4 (Medium) indicates a moderate severity, though the vendor notes a low likelihood of exploitation in practice. Nevertheless, the ability to bypass access controls can lead to partial loss of data confidentiality, integrity, or availability depending on the specific action invoked.

Mitigation

The issue has been patched in version 6.5.2. Users are strongly advised to update immediately. For Patchstack users, enabling auto-update for vulnerable plugins provides additional protection. If an immediate update is not possible, contacting a hosting provider or web developer for assistance is recommended [1].