CVE-2026-25036 is a missing authorization vulnerability found in the WP Chill Passster plugin, a WordPress content protection tool designed to restrict access to certain content based on user permissions. The vulnerability arises due to incorrectly configured access control security levels, allowing users with low privileges (PR:L) to bypass authorization checks and access protected content without proper permissions. The vulnerability affects all versions of Passster up to and including 4.2.25. The CVSS 3.1 base score is 6.5 (medium), with an attack vector of network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). This means an attacker with a low-level authenticated account can remotely exploit the vulnerability without user interaction to gain unauthorized access to confidential content. The vulnerability does not affect the integrity or availability of the system but compromises confidentiality by exposing protected content. No public exploits have been reported yet, but the flaw represents a significant risk for websites relying on Passster for content access control. The root cause is a failure to enforce proper authorization checks before granting access to protected resources, which is a common security misconfiguration in web applications. Organizations using Passster should monitor for updates from WP Chill and apply patches promptly once available.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive or restricted content hosted on WordPress sites using the Passster plugin. This could lead to data leaks involving confidential business information, intellectual property, or personal data protected under GDPR, potentially resulting in regulatory penalties and reputational damage. Since the vulnerability requires only low-level privileges, an attacker who gains minimal access (e.g., a registered user or subscriber) could escalate their access to protected content, bypassing intended restrictions. This undermines trust in the organization's content protection mechanisms and could facilitate further social engineering or targeted attacks. The lack of impact on integrity and availability limits the threat to confidentiality, but the exposure of sensitive content alone can have serious consequences. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future exploitation. Organizations in sectors such as media, education, e-commerce, and any that use Passster to protect premium or sensitive content are particularly vulnerable.

1. Monitor WP Chill’s official channels for security updates and apply patches for Passster promptly once released. 2. Until a patch is available, implement additional access control mechanisms at the web server or application firewall level to restrict access to protected content paths. 3. Review and tighten user privilege assignments in WordPress to minimize the number of users with authenticated access, reducing the attack surface. 4. Conduct an audit of all content protected by Passster to identify and temporarily restrict access to highly sensitive materials. 5. Employ logging and monitoring to detect unusual access patterns indicative of exploitation attempts. 6. Consider deploying a Web Application Firewall (WAF) with custom rules to block unauthorized access attempts targeting Passster endpoints. 7. Educate site administrators about the risks of misconfigured access controls and encourage regular security reviews of plugin configurations. 8. If feasible, isolate critical content behind additional authentication layers or use alternative plugins with verified secure authorization implementations.