CVE-2025-66101 identifies a Missing Authorization vulnerability in the Sabuj Kundu CBX Bookmark & Favorite WordPress plugin, specifically versions up to 2.0.1. The vulnerability stems from improperly configured access control security levels within the plugin, which allows users with low privileges (PR:L) to access or manipulate bookmark-related functionalities without proper authorization. The attack vector is network-based (AV:N), requiring no user interaction (UI:N), and the scope remains unchanged (S:U). The impact primarily affects confidentiality (C:L), with no direct impact on integrity or availability. This means an attacker with low privileges could potentially view or access bookmark data they should not have access to, but cannot alter or disrupt the system. The CVSS score of 4.3 reflects a medium severity level, indicating moderate risk. No known exploits are currently reported in the wild, and no official patches have been released, suggesting that organizations using this plugin should proactively assess their exposure. The vulnerability is relevant to WordPress sites utilizing this plugin, which is typically used for managing bookmarks and favorites within the CMS environment. The lack of detailed affected versions (noted as 'n/a') implies all versions up to 2.0.1 are vulnerable. The vulnerability was published on November 21, 2025, by Patchstack, a known assigner for WordPress-related vulnerabilities.

For European organizations, the primary impact of CVE-2025-66101 is unauthorized access to bookmark data managed by the CBX Bookmark & Favorite plugin. While the vulnerability does not allow modification or deletion of data, exposure of potentially sensitive bookmark information could lead to privacy concerns or indirect information leakage. Organizations relying on WordPress for content management and using this plugin may face risks of data confidentiality breaches, especially if bookmarks contain links to internal resources or sensitive content. The medium severity suggests that while the threat is not critical, it could be exploited by malicious insiders or low-privilege attackers to gain insights into user behavior or internal references. This could facilitate further targeted attacks or social engineering campaigns. The absence of known exploits reduces immediate risk but does not eliminate the potential for future exploitation. The vulnerability does not impact system availability or integrity, so operational disruption is unlikely. However, regulatory compliance frameworks in Europe, such as GDPR, emphasize data confidentiality, making even limited data exposure a concern. Organizations should consider the sensitivity of bookmark data and the potential reputational and compliance impacts of unauthorized disclosure.

To mitigate CVE-2025-66101, European organizations should first identify all WordPress installations using the Sabuj Kundu CBX Bookmark & Favorite plugin, particularly versions up to 2.0.1. Since no official patches are currently available, immediate steps include: (1) auditing and tightening access control configurations within the plugin settings to ensure that only authorized roles can access bookmark functionalities; (2) restricting plugin usage to trusted users with appropriate privileges, minimizing exposure to low-privilege accounts; (3) implementing strict role-based access controls (RBAC) at the WordPress level to prevent unauthorized access; (4) monitoring logs for unusual access patterns or attempts to exploit bookmark features; (5) considering temporary deactivation or removal of the plugin if it is not critical to operations until a patch is released; (6) staying informed via vendor or security advisories for patch releases or updates; (7) applying general WordPress security best practices, including regular updates, strong authentication, and network segmentation to limit attacker movement. Additionally, organizations should conduct internal awareness training to highlight the risks of unauthorized data exposure through plugins and encourage reporting of suspicious activities.