CVE-2025-66072 identifies a critical missing authorization vulnerability in the UsersWP plugin developed by Stiofan, affecting all versions up to and including 1.2.47. This vulnerability arises from incorrectly configured access control security levels, allowing unauthenticated remote attackers to bypass authorization checks. Exploitation does not require any privileges or user interaction, making it trivially exploitable over the network. The impact is severe, as attackers can gain unauthorized access to sensitive user data, modify or delete user accounts, and potentially disrupt the availability of the WordPress site. The CVSS v3.1 base score of 9.8 reflects the high impact on confidentiality, integrity, and availability, combined with the ease of exploitation. Although no public exploits have been reported yet, the nature of the vulnerability suggests that exploitation could lead to full site compromise, data leakage, and persistent unauthorized access. The vulnerability affects the UsersWP plugin, a popular WordPress user management tool, which is widely used for managing user registrations, profiles, and memberships. The lack of proper authorization checks means that critical administrative functions may be accessible to any remote attacker, bypassing intended security controls. This vulnerability was published on November 21, 2025, and no patches or fixes have been linked yet, indicating that organizations must apply mitigations or monitor closely until an official update is released.

For European organizations, this vulnerability poses a significant risk to the security of WordPress-based websites that utilize the UsersWP plugin. Successful exploitation can lead to unauthorized disclosure of personal and sensitive user data, violating GDPR and other data protection regulations, potentially resulting in legal and financial penalties. Integrity of user data and site content can be compromised, allowing attackers to alter or delete user accounts, inject malicious content, or escalate privileges. Availability may also be impacted if attackers disrupt user management functions or cause denial of service conditions. Organizations relying on UsersWP for membership or user authentication services may face operational disruptions and reputational damage. The ease of exploitation and lack of required authentication increase the likelihood of attacks, especially targeting high-profile or data-sensitive websites. Given the criticality, European entities must consider this vulnerability a top priority for remediation to avoid compliance issues and security breaches.

1. Immediately audit all WordPress sites using the UsersWP plugin to identify affected versions (<= 1.2.47). 2. Apply any available patches or updates from Stiofan as soon as they are released. 3. If patches are not yet available, implement temporary access control restrictions at the web server or application firewall level to block unauthorized access to UsersWP endpoints, especially those handling user management functions. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting UsersWP plugin URLs. 5. Conduct thorough logging and monitoring of user management activities to detect anomalous behavior indicative of exploitation attempts. 6. Restrict administrative access to trusted IP addresses or VPNs where feasible. 7. Educate site administrators about the vulnerability and encourage prompt action. 8. Consider disabling or uninstalling the UsersWP plugin temporarily if it is not critical to operations until a secure version is available. 9. Review and strengthen overall WordPress security posture, including principle of least privilege for user roles and regular backups to enable recovery from potential compromise.