CVE-2025-66107 identifies a Missing Authorization vulnerability in the Scott Paterson Subscriptions & Memberships for PayPal WordPress plugin, specifically affecting all versions up to and including 1.1.7. This vulnerability arises from incorrectly configured access control security levels, allowing remote attackers to access certain functionalities or data without proper authorization. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network. The CVSS 3.1 base score is 5.3 (medium), reflecting a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact is limited to confidentiality (C:L), with no impact on integrity or availability. The plugin is used to manage subscriptions and memberships via PayPal integration, meaning unauthorized access could expose subscription details or user information. There are no known public exploits or patches available at the time of publication. The vulnerability was published on November 21, 2025, and assigned by Patchstack. The lack of patch links suggests that vendors or maintainers have yet to release a fix, increasing the urgency for organizations to implement compensating controls. The vulnerability’s root cause is an incorrect or missing authorization check in the plugin’s access control mechanisms, which could be exploited by attackers to bypass restrictions and access sensitive subscription-related data or functionality.

For European organizations, the impact primarily concerns confidentiality breaches involving subscription and membership data managed through the affected plugin. Exposure of such data could lead to privacy violations, regulatory non-compliance (e.g., GDPR), and reputational damage. Although the vulnerability does not affect data integrity or system availability, unauthorized access to subscription details could facilitate further targeted attacks, social engineering, or fraud. Organizations relying on this plugin for e-commerce or membership management may face risks of customer data leakage. Given the plugin’s integration with PayPal, attackers might also attempt to leverage exposed information for financial fraud or account takeover attempts. The medium severity rating indicates a moderate risk, but the ease of exploitation without authentication increases the urgency for mitigation. European entities with high volumes of online transactions or membership services are particularly vulnerable. Additionally, failure to address this vulnerability could attract regulatory scrutiny under data protection laws, especially if personal data is compromised.

1. Immediately audit and restrict access controls within the Subscriptions & Memberships for PayPal plugin, ensuring that all sensitive endpoints enforce proper authorization checks. 2. If a vendor patch becomes available, prioritize its deployment across all affected systems without delay. 3. Implement Web Application Firewall (WAF) rules to monitor and block unauthorized access attempts targeting the plugin’s endpoints. 4. Conduct thorough logging and monitoring of subscription-related API calls to detect anomalous or unauthorized activity. 5. Limit exposure by disabling or removing the plugin if it is not essential, or replace it with a more secure alternative. 6. Review user roles and permissions within the WordPress environment to minimize privilege escalation risks. 7. Educate administrators on secure plugin configuration and the importance of timely updates. 8. Perform regular vulnerability scans focusing on WordPress plugins to identify similar misconfigurations. 9. Coordinate with legal and compliance teams to assess potential GDPR implications and prepare incident response plans. 10. Engage with the plugin vendor or community to track patch releases and security advisories.