CVE-2025-66072 identifies a missing authorization vulnerability in the UsersWP plugin developed by Stiofan, affecting all versions up to and including 1.2.47. The core issue stems from incorrectly configured access control security levels within the plugin, which can allow an attacker to bypass authorization checks. This means that unauthorized users could perform actions or access data that should be restricted, potentially leading to privilege escalation or unauthorized data exposure. UsersWP is a WordPress plugin widely used for managing user profiles, memberships, and user-related content on WordPress sites. The vulnerability does not require prior authentication or user interaction, increasing its risk profile. Although no public exploits have been reported yet, the flaw's nature suggests it could be leveraged by attackers to manipulate user data or gain elevated privileges within affected WordPress installations. The absence of a CVSS score indicates that the vulnerability is newly disclosed, and further analysis is needed to fully understand its exploitability and impact. The vulnerability was published on November 21, 2025, and no patches or fixes have been linked yet, emphasizing the need for vigilance among users of the plugin. Organizations using UsersWP should audit their installations, monitor for suspicious activity, and prepare to apply security updates once available.

For European organizations, the impact of CVE-2025-66072 can be significant, especially for those relying on WordPress sites with the UsersWP plugin for user management and membership functionalities. Unauthorized access due to missing authorization controls could lead to data breaches involving personal user information, unauthorized privilege escalation, and potential manipulation of user roles or content. This could compromise the confidentiality and integrity of user data and disrupt service availability if attackers modify or delete critical user information. Given the plugin's role in managing user access, exploitation could also facilitate further lateral movement within an organization's web infrastructure. The impact is heightened in sectors with strict data protection regulations such as GDPR, where unauthorized data exposure can result in legal penalties and reputational damage. Additionally, organizations in finance, healthcare, education, and government sectors that use this plugin are at greater risk due to the sensitivity of their user data and the critical nature of their services.

1. Immediately audit all WordPress installations to identify the presence and version of the UsersWP plugin. 2. Restrict administrative and plugin management access to trusted personnel only, employing the principle of least privilege. 3. Monitor logs and user activity for unusual access patterns or unauthorized changes related to user profiles and permissions. 4. Implement web application firewalls (WAF) with custom rules to detect and block suspicious requests targeting UsersWP endpoints. 5. Stay informed through official Stiofan and WordPress security channels for patch releases and apply updates promptly once available. 6. Consider temporarily disabling or replacing the UsersWP plugin with alternative solutions if immediate patching is not possible. 7. Conduct penetration testing focused on access control mechanisms within WordPress environments to identify similar misconfigurations. 8. Educate site administrators on secure plugin configuration and the importance of timely updates to reduce exposure windows.