CVE-2025-66525

Vulnerability

Description CVE-2025-66525 is a missing authorization vulnerability in the Elastic Email Sender plugin for WordPress, affecting versions from n/a through 1.2.20. The plugin fails to properly enforce access controls, allowing exploitation of incorrectly configured access control security levels.

Exploitation

An attacker with low privileges can exploit this broken access control issue to perform actions that should require higher privileges. No authentication bypass is needed beyond a valid user account with minimal permissions. The attack vector is network-based with low complexity.

Impact

Successful exploitation enables an unprivileged user to execute higher privileged actions within the WordPress site, potentially leading to unauthorized data access or functionality misuse. The CVSS v3 score is 4.3 (Medium), indicating low severity and unlikely mass exploitation in the wild.

Mitigation

The vendor has released version 1.2.21 which resolves the vulnerability. Users are advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If unable to update, contact your hosting provider or web developer for assistance [1].