CVE-2025-66072 is a critical security vulnerability identified in the UsersWP plugin developed by Stiofan, affecting all versions up to and including 1.2.47. The vulnerability stems from missing authorization checks within the plugin’s access control mechanisms, allowing attackers to bypass security restrictions that normally prevent unauthorized access to sensitive user management functions. This flaw is exploitable remotely without requiring any authentication or user interaction, making it highly accessible to attackers. The vulnerability impacts the confidentiality, integrity, and availability of systems using the plugin by potentially allowing attackers to view, modify, or delete user data, escalate privileges, or disrupt service availability. The CVSS v3.1 base score of 9.8 reflects the critical severity, with vector metrics indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no exploits have been reported in the wild yet, the vulnerability’s characteristics make it a prime target for attackers once exploit code becomes available. UsersWP is a WordPress plugin widely used for user profile and membership management, which means many websites, including those operated by European organizations, could be affected. The lack of a current patch or mitigation instructions in the provided data highlights the urgency for vendors and users to address this issue promptly.

For European organizations, the impact of CVE-2025-66072 is significant due to the widespread use of WordPress and associated plugins like UsersWP for managing user profiles and memberships. Exploitation could lead to unauthorized access to sensitive user information, including personal data protected under GDPR, resulting in data breaches with legal and financial consequences. Attackers could manipulate user accounts, escalate privileges, or disrupt website availability, impacting business operations and customer trust. The critical severity and ease of exploitation increase the risk of automated attacks targeting vulnerable installations. Organizations in sectors such as e-commerce, education, government, and media that rely on WordPress for user management are particularly vulnerable. The potential for widespread compromise also poses risks to supply chains and third-party service providers integrated with affected websites. Additionally, reputational damage and regulatory penalties could arise from failure to secure user data adequately.

1. Immediate action should be to monitor official channels from Stiofan and UsersWP for patches or updates addressing CVE-2025-66072 and apply them as soon as they become available. 2. Until a patch is released, restrict access to the UsersWP plugin’s administrative and user management interfaces using web application firewalls (WAFs) or IP whitelisting to limit exposure. 3. Conduct thorough access control audits on all WordPress installations using UsersWP to identify and remediate any misconfigurations or excessive permissions. 4. Implement network-level protections such as intrusion detection/prevention systems (IDS/IPS) to detect anomalous requests targeting the plugin. 5. Enable detailed logging and monitoring of user management activities to quickly identify suspicious behavior indicative of exploitation attempts. 6. Educate site administrators on the risks associated with this vulnerability and encourage prompt reporting of unusual activity. 7. Consider isolating critical WordPress instances or using containerization to limit the blast radius of a potential compromise. 8. Review and enhance overall WordPress security posture, including timely updates of all plugins and themes, to reduce attack surface.