CVE-2025-66113 is a vulnerability identified in the ThemeAtelier Better Chat Support for Messenger plugin, affecting versions up to and including 1.2.18. The core issue is a missing authorization control, meaning that certain functions or data accessible through the plugin do not properly verify whether the requesting user has the necessary permissions. This misconfiguration allows users with limited privileges (low-level authenticated users) to perform actions or access information beyond their authorization scope. The vulnerability is exploitable remotely over the network without requiring user interaction, increasing its risk profile. The CVSS v3.1 base score of 5.4 reflects a medium severity, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and low impact on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). Although no public exploits have been reported yet, the vulnerability could be leveraged to gain unauthorized access to sensitive chat data or manipulate chat support functionality, potentially leading to data leakage or integrity compromise. The plugin is commonly used in WordPress environments to integrate Messenger-based chat support, often in customer service or e-commerce contexts. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate attention from administrators. The vulnerability arises from incorrect access control implementation, a common security flaw that can be mitigated by enforcing strict authorization checks on all sensitive operations within the plugin.

For European organizations, especially those relying on WordPress-based customer support systems integrating Messenger chat via the Better Chat Support plugin, this vulnerability poses risks of unauthorized data access and potential manipulation of chat interactions. Confidential customer information exchanged through chat could be exposed, violating data protection regulations such as GDPR. Integrity issues could lead to misinformation or unauthorized commands within support workflows, undermining trust and operational reliability. While availability is not directly impacted, the reputational damage and potential regulatory penalties from data breaches could be significant. Organizations in sectors with high customer interaction volumes, such as retail, finance, and telecommunications, are particularly vulnerable. The medium severity score indicates that while exploitation is feasible, it requires some level of authenticated access, limiting the threat to internal or semi-trusted users or attackers who have compromised low-level accounts. Nonetheless, the ease of exploitation over the network and lack of user interaction needed increase the urgency of mitigation. Failure to address this vulnerability could lead to targeted attacks exploiting the plugin to gain footholds or escalate privileges within affected systems.

Administrators should immediately audit their use of the Better Chat Support for Messenger plugin and restrict access to the plugin’s functionalities to only trusted and necessary user roles. Until an official patch is released, consider disabling the plugin or limiting its exposure to internal networks only. Review and tighten WordPress user role permissions to minimize the number of users with low-level privileges that could exploit this vulnerability. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin’s endpoints. Monitor logs for unusual access patterns or privilege escalations related to chat support features. Engage with the vendor or ThemeAtelier to obtain or request a security update and apply patches promptly once available. Additionally, conduct penetration testing focused on access control mechanisms within the plugin to identify and remediate similar weaknesses. Educate support staff about potential phishing or social engineering attempts that could lead to credential compromise, as attackers need some level of authentication to exploit this vulnerability.