CVE-2025-66122 is a security vulnerability identified in the Design Stylish Price List plugin, a tool commonly used to display price lists stylishly on websites, particularly those built on content management systems like WordPress. The vulnerability stems from missing authorization checks, meaning that the plugin fails to properly enforce access control security levels. This misconfiguration allows an attacker to bypass intended restrictions and perform unauthorized actions, such as viewing, modifying, or deleting price list data that should be protected. The affected versions include all releases up to and including 7.2.2, with no specific version range provided prior to that. The vulnerability was reserved in late November 2025 and published in mid-December 2025, with no CVSS score assigned yet and no known exploits reported in the wild. The lack of authentication requirement for exploitation increases the risk, as attackers do not need valid credentials to leverage this flaw. This vulnerability primarily impacts the confidentiality and integrity of data managed by the plugin, potentially leading to unauthorized data disclosure or tampering. The absence of patches at the time of reporting necessitates immediate attention to access control configurations and monitoring for suspicious activity. Organizations using this plugin should prioritize mitigation to prevent exploitation.

For European organizations, the missing authorization vulnerability in the Stylish Price List plugin could lead to unauthorized access to sensitive pricing information, manipulation of displayed prices, or unauthorized changes to product listings. This can result in financial losses, reputational damage, and erosion of customer trust. E-commerce businesses and service providers relying on this plugin for price presentation are particularly at risk. The vulnerability could also be leveraged as a foothold for further attacks within the network if attackers gain administrative privileges or access to backend systems. Given that exploitation does not require authentication, the attack surface is broad, increasing the likelihood of opportunistic attacks. The impact on availability is limited but possible if attackers modify or delete critical data. Compliance with European data protection regulations such as GDPR could be jeopardized if unauthorized data access occurs, leading to potential legal and financial penalties.

1. Immediately review and tighten access control settings related to the Stylish Price List plugin, ensuring that only authorized users have permissions to view or modify price lists. 2. Monitor web server and application logs for unusual access patterns or unauthorized attempts to interact with the plugin's functionality. 3. Implement web application firewalls (WAF) with custom rules to detect and block unauthorized requests targeting the plugin endpoints. 4. Restrict access to administrative interfaces and plugin management pages via IP whitelisting or VPN access where feasible. 5. Stay alert for official patches or updates from the vendor and apply them promptly once released. 6. Conduct regular security audits and penetration testing focusing on access control mechanisms within web applications. 7. Educate development and operations teams about the risks of missing authorization and enforce secure coding practices to prevent similar issues. 8. If possible, temporarily disable or replace the plugin with a more secure alternative until a fix is available.