CVE-2025-66107 identifies a Missing Authorization vulnerability in the Scott Paterson Subscriptions & Memberships for PayPal plugin, affecting all versions up to and including 1.1.7. This vulnerability arises from incorrectly configured access control mechanisms within the plugin, which fail to properly verify whether a user is authorized to perform certain subscription management actions. Because the vulnerability is exploitable remotely without requiring authentication or user interaction, an attacker can potentially access subscription-related functions that should be restricted. The CVSS 3.1 base score of 5.3 reflects a medium severity, primarily due to the limited confidentiality impact and absence of integrity or availability compromise. The vulnerability could allow unauthorized disclosure of subscription data or unauthorized viewing of membership information, which may lead to privacy violations or business intelligence leakage. However, it does not enable modification or deletion of data, nor does it disrupt service availability. The plugin is commonly used in WordPress environments to manage PayPal-based subscriptions and memberships, making it a target for attackers seeking to exploit e-commerce or membership sites. No public exploits have been reported yet, but the ease of exploitation and lack of authentication requirements make timely remediation important. The vulnerability was published on November 21, 2025, and no official patches or updates are currently linked, indicating that users should monitor vendor communications closely.

For European organizations, this vulnerability poses a risk primarily to e-commerce platforms and membership-based services that rely on the Scott Paterson Subscriptions & Memberships for PayPal plugin. Unauthorized access to subscription data could lead to exposure of customer information, potentially violating GDPR requirements concerning personal data confidentiality. Although the vulnerability does not allow data modification or service disruption, the leakage of subscription details can harm customer trust and lead to reputational damage. Additionally, attackers could leverage exposed information for targeted phishing or social engineering attacks. The impact is more pronounced for businesses with large subscriber bases or those handling sensitive membership data. Given the widespread use of WordPress and PayPal integrations across Europe, the vulnerability could affect a significant number of organizations if unmitigated. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks. Organizations in regulated sectors such as finance, healthcare, and education should be particularly vigilant due to the sensitivity of subscription data and compliance obligations.

European organizations should take the following specific steps to mitigate this vulnerability: 1) Immediately audit all installations of the Scott Paterson Subscriptions & Memberships for PayPal plugin to identify affected versions (<=1.1.7). 2) Apply vendor patches or updates as soon as they become available; if no patch exists, consider disabling the plugin or restricting its access until a fix is released. 3) Implement strict access control policies at the web application and server levels to limit who can interact with subscription management endpoints, using IP whitelisting or VPN access where feasible. 4) Employ Web Application Firewalls (WAFs) to detect and block suspicious requests targeting subscription-related URLs. 5) Monitor logs for unusual access patterns or unauthorized attempts to access subscription data. 6) Conduct regular security assessments and penetration tests focusing on access control mechanisms within subscription management workflows. 7) Educate administrators and developers about secure configuration practices to prevent similar authorization issues in custom or third-party plugins. 8) Ensure compliance with GDPR by promptly addressing any data exposure incidents and notifying affected users if necessary.