Overview A missing authorization vulnerability, identified as CVE-2025-66075, has been discovered in the WP Legal Pages WP Cookie Notice for GDPR, CCPA & ePrivacy Consent plugin (gdpr-cookie-consent) for WordPress. This vulnerability allows attackers to potentially exploit incorrectly configured access control security levels. Specifically, versions up to and including 4.0.3 are affected. This could allow unauthorized users to modify plugin settings or perform other actions they should not be permitted to do. Technical Details The core issue lies in the plugin’s failure to properly validate user roles and permissions before granting access to certain functionalities. This “Missing Authorization” issue can lead…
-
-
Overview CVE-2025-66073 describes a Deserialization of Untrusted Data vulnerability affecting the WP Webhooks plugin for WordPress. Specifically, versions up to and including 3.3.8 are susceptible to Object Injection, potentially allowing attackers to execute arbitrary code on the affected server. This vulnerability has been reported and analyzed by Patchstack. Technical Details The vulnerability stems from the plugin’s handling of deserialized data. If the plugin deserializes untrusted data without proper sanitization or validation, an attacker can inject malicious PHP objects. Upon deserialization, these objects can trigger arbitrary code execution, potentially leading to complete server compromise. The specific endpoint or code path responsible…
-
Overview CVE-2025-66072 describes a Missing Authorization vulnerability found in the Stiofan UsersWP plugin for WordPress. Specifically, it allows for the exploitation of incorrectly configured access control security levels. This vulnerability affects UsersWP versions from n/a through 1.2.47. A successful exploit could allow unauthorized users to access or modify sensitive data or perform actions they should not be permitted to do. Technical Details The core issue lies in the plugin’s insufficient validation of user roles and permissions before granting access to certain functionalities or data. This “Broken Access Control” (as described in the Patchstack vulnerability database) means that a user with…
-
Overview CVE-2025-66071 identifies a Missing Authorization vulnerability affecting the Custom Order Numbers for WooCommerce plugin by tychesoftwares. This vulnerability allows for Exploiting Incorrectly Configured Access Control Security Levels. Specifically, versions up to and including 1.11.0 are affected. This broken access control vulnerability could potentially allow unauthorized users to perform actions or access data they shouldn’t, impacting the security and integrity of your WooCommerce store. Technical Details The Custom Order Numbers for WooCommerce plugin, in versions 1.11.0 and earlier, suffers from a Missing Authorization vulnerability. This flaw stems from the plugin’s failure to properly validate user privileges before granting access to…
-
Overview CVE-2025-66069 describes a missing authorization vulnerability affecting the Themeisle PPOM for WooCommerce plugin. This vulnerability, classified as “Exploiting Incorrectly Configured Access Control Security Levels,” allows attackers to potentially bypass access controls within the plugin, leading to unauthorized actions or data manipulation. The vulnerability exists in versions up to and including 33.0.16. Technical Details The core of this vulnerability lies in the insufficient authorization checks within the PPOM for WooCommerce plugin. Specifically, the plugin fails to adequately verify user permissions before allowing access to certain functionalities or data. This allows attackers with limited privileges to potentially elevate their access and…
-
Overview This article details a Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-66067, affecting the FunnelKit Funnel Builder plugin for WordPress. Specifically, it’s a DOM-Based XSS vulnerability, meaning the malicious script is executed within the user’s browser rather than being directly injected into the server’s response. This vulnerability impacts versions of Funnel Builder by FunnelKit up to and including 3.13.1.2. Technical Details CVE-2025-66067 is a DOM-Based XSS vulnerability. This means that the FunnelKit Funnel Builder plugin improperly neutralizes user-controlled input during web page generation. An attacker could craft a malicious URL or inject code into a page element that, when accessed…
-
Overview CVE-2025-66066 is a security vulnerability affecting the EnvoThemes Envo Extra WordPress plugin. Specifically, it’s a Stored Cross-Site Scripting (XSS) vulnerability. This means malicious code can be injected into the plugin’s settings or features, and that code will be executed in the browsers of other users who access the affected areas. Versions 1.9.11 and earlier of the plugin are affected. Technical Details The vulnerability, categorized as “Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)”, allows attackers to inject malicious scripts into areas managed by the Envo Extra plugin. Because the input is not properly sanitized or encoded before…
-
Overview CVE-2025-66065 describes a Missing Authorization vulnerability affecting the Gutenverse WordPress plugin. Specifically, it’s a case of Exploiting Incorrectly Configured Access Control Security Levels, also known as broken access control. This vulnerability exists in Gutenverse versions n/a through 3.2.1. Technical Details The Gutenverse plugin, up to version 3.2.1, does not properly enforce access control restrictions. This means that users with insufficient privileges might be able to access or modify sensitive data or perform actions they are not authorized to perform. The exact methods of exploitation will vary depending on how the plugin handles authorization checks. This can potentially include: Accessing…
-
Overview A Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2025-66064, has been discovered in the “Giveaways and Contests by RafflePress” WordPress plugin. This vulnerability affects versions up to and including 1.12.20. CSRF vulnerabilities can allow attackers to perform actions on behalf of legitimate users without their knowledge or consent, potentially leading to unauthorized modifications of contest settings, user data manipulation, or even complete site compromise. Technical Details The CSRF vulnerability in RafflePress stems from a lack of sufficient protection against forged requests. Specifically, the plugin does not properly validate the origin of requests when performing certain actions. This allows an…
-
Overview CVE-2025-66063 details a Missing Authorization vulnerability found in the WP Google Review Slider plugin for WordPress. Specifically, the plugin suffers from an “Exploiting Incorrectly Configured Access Control Security Levels” issue. This vulnerability allows attackers to bypass intended access restrictions, potentially leading to unauthorized actions within the plugin and, depending on the severity and plugin functionality, potentially the entire WordPress site. This issue affects all versions of the WP Google Review Slider plugin up to and including version 17.4. Technical Details The vulnerability is classified as a Missing Authorization or Broken Access Control issue. This typically means that the plugin…