CVE-2025-60166 is a medium-severity vulnerability classified under CWE-862 (Missing Authorization) affecting the WordPress plugin WP Subscription Forms PRO developed by wpshuffle. This vulnerability arises due to improperly configured access control mechanisms within the plugin, allowing users with limited privileges (PR:L - privileges required: low) to perform actions or access resources that should be restricted. The vulnerability does not require user interaction (UI:N) and can be exploited remotely over the network (AV:N) with low attack complexity (AC:L). The impact primarily affects the integrity of the system, as unauthorized users may manipulate subscription forms or related data, but it does not affect confidentiality or availability. The vulnerability affects versions up to 2.0.5, although exact affected versions are not fully enumerated. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on September 26, 2025, and is tracked by the CVE identifier CVE-2025-60166. The CVSS v3.1 base score is 4.3, reflecting a medium severity level. The core issue is the absence of proper authorization checks, which can lead to privilege escalation or unauthorized modifications within the plugin's functionality, potentially undermining the trustworthiness of subscription data or user interactions managed by the plugin.

For European organizations using WP Subscription Forms PRO, this vulnerability could lead to unauthorized modifications of subscription data or manipulation of form submissions, potentially resulting in data integrity issues or unauthorized subscription changes. While it does not directly compromise confidentiality or availability, the integrity impact can affect marketing, customer engagement, or lead to fraudulent subscription activities. Organizations relying on this plugin for customer communications or lead generation may face reputational damage or operational disruptions if attackers exploit this flaw. Given the plugin's role in managing subscriptions, unauthorized changes could also lead to compliance issues under GDPR if personal data is mishandled or altered without proper authorization. The medium severity suggests that while the threat is not critical, it should be addressed promptly to prevent escalation or chained attacks that could leverage this vulnerability as a foothold.

1. Immediate review and application of any available patches or updates from the vendor once released. 2. Until a patch is available, restrict access to the WordPress admin panel and plugin management interfaces to trusted users only, employing strong authentication and role-based access controls. 3. Conduct an audit of user roles and permissions within WordPress to ensure minimal privilege principles are enforced, especially for users with low privileges who might exploit this vulnerability. 4. Implement web application firewall (WAF) rules to monitor and block suspicious requests targeting the subscription forms or plugin endpoints. 5. Regularly monitor logs for unusual activities related to subscription form submissions or administrative actions within the plugin. 6. Consider temporarily disabling the WP Subscription Forms PRO plugin if the risk outweighs the operational need until a secure version is available. 7. Educate administrators and users about the risks of unauthorized access and encourage prompt reporting of anomalies. 8. Review and enhance overall WordPress security posture, including timely updates of all plugins and core components.