CVE-2025-66113 identifies a Missing Authorization vulnerability in the ThemeAtelier Better Chat Support for Messenger plugin, specifically in versions up to and including 1.2.18. This vulnerability stems from improperly configured access control mechanisms within the plugin, which fail to adequately restrict user permissions. As a result, users with low-level privileges (PR:L) can exploit the flaw over a network (AV:N) without requiring any user interaction (UI:N) to perform unauthorized actions that compromise confidentiality and integrity of data handled by the plugin. The plugin is designed to integrate Facebook Messenger chat support into websites, commonly WordPress-based, enabling real-time customer interaction. The vulnerability could allow an attacker to access or modify chat data or configuration settings that should be restricted, potentially leading to data leakage or manipulation of chat support functionality. The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) indicates low attack complexity and no impact on availability. No public exploits have been reported yet, but the vulnerability is published and should be addressed promptly. The lack of patches at the time of reporting necessitates immediate configuration reviews and monitoring until updates are released.

For European organizations, the impact of this vulnerability primarily concerns the confidentiality and integrity of customer communication data handled via the Better Chat Support for Messenger plugin. Unauthorized access could lead to exposure of sensitive customer information or manipulation of chat interactions, undermining trust and potentially violating data protection regulations such as GDPR. While availability is not affected, the breach of confidentiality and integrity could result in reputational damage, regulatory penalties, and loss of customer confidence. Organizations heavily reliant on Messenger chat support for customer engagement, especially e-commerce and service providers, face higher risks. The medium severity suggests a moderate but actionable risk, emphasizing the need for timely mitigation to prevent exploitation.

Organizations should immediately audit their current use of the Better Chat Support for Messenger plugin, verifying user roles and permissions to ensure no excessive privileges are granted. Until an official patch is released, restrict plugin access to trusted administrators only and disable or remove the plugin if feasible. Implement network-level controls such as web application firewalls (WAFs) to monitor and block suspicious requests targeting the plugin endpoints. Enable detailed logging and monitor for anomalous activities related to chat support functions. Stay informed on vendor updates and apply patches promptly once available. Additionally, conduct regular security assessments of all third-party plugins to identify and remediate similar access control issues proactively.