CVE-2025-66113 identifies a missing authorization vulnerability in the ThemeAtelier Better Chat Support for Messenger WordPress plugin, specifically in versions up to and including 1.2.18. The vulnerability stems from improperly configured access control security levels, which fail to enforce proper authorization checks on certain plugin functionalities. This misconfiguration can allow an attacker to perform actions that should be restricted, such as accessing or manipulating chat support features without proper permissions. Although no exploits have been reported in the wild, the nature of the vulnerability suggests that an attacker with network access to the affected WordPress site could exploit the flaw to bypass security controls. The plugin is commonly used to integrate Facebook Messenger chat support into WordPress websites, often for customer service or sales support. The absence of a CVSS score indicates that the vulnerability has not yet been fully assessed, but the missing authorization issue is a critical security concern as it directly impacts the integrity and confidentiality of the chat support system. The vulnerability does not require user interaction but may require the attacker to have some level of access to the website or its interface. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for vigilance and interim mitigations.

For European organizations, especially those relying on WordPress-based customer engagement platforms, this vulnerability could lead to unauthorized access to chat support interfaces, potentially exposing sensitive customer communications or enabling malicious manipulation of support interactions. This could damage customer trust, lead to data breaches involving personal information, and disrupt business operations. Organizations in sectors such as e-commerce, financial services, and public services that use the Better Chat Support plugin are particularly at risk. The impact extends to reputational damage and potential regulatory consequences under GDPR if personal data is compromised. Since the vulnerability allows bypassing authorization controls, attackers might escalate privileges or execute unauthorized actions within the plugin context, affecting the availability and integrity of customer support services.

Organizations should immediately audit their WordPress installations to identify the use of the Better Chat Support for Messenger plugin and verify the version in use. Until an official patch is released, restrict access to the plugin’s administrative and configuration interfaces to trusted personnel only, using strong authentication and role-based access controls. Implement web application firewall (WAF) rules to monitor and block suspicious requests targeting the plugin’s endpoints. Regularly review user permissions and remove unnecessary privileges. Monitor logs for unusual activity related to the plugin. Engage with the vendor or ThemeAtelier’s support channels to obtain updates or patches as soon as they become available. Consider temporarily disabling the plugin if it is not critical to operations or if the risk outweighs the benefits. Additionally, ensure that WordPress core and other plugins are up to date to reduce the attack surface.