Skip to main content

ZEEN101 Leaky Paywall CVE-2025-66124

MEDIUM
Missing Authorization (CWE-862)
2025-12-16 audit@patchstack.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 16, 2025 - 09:15 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in ZEEN101 Leaky Paywall leaky-paywall allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Leaky Paywall: from n/a through <= 4.22.6.

AnalysisAI

Unauthenticated remote attackers can bypass access controls in ZEEN101 Leaky Paywall WordPress plugin versions up to 4.22.6, gaining unauthorized access to restricted content through incorrectly configured security levels. The vulnerability requires no user interaction and can be exploited over the network, though it is limited to information disclosure (CVSS 5.3, EPSS 0.04%). No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

The Leaky Paywall plugin (CPE: wordpress/plugin/leaky-paywall) implements access control mechanisms to restrict content behind paywalls and subscription tiers. The vulnerability stems from CWE-862 (Missing Authorization), indicating that the plugin fails to properly enforce authorization checks when users attempt to access protected resources. Instead of validating user privileges and subscription status before granting access to gated content, the plugin's security levels are misconfigured, allowing unauthenticated users to bypass intended access restrictions. This is a common pattern in WordPress plugins where authentication and authorization logic is either omitted from critical endpoints or relies on insecure assumptions about request origins and user identity.

Affected ProductsAI

ZEEN101 Leaky Paywall WordPress plugin is affected in all versions from an unspecified baseline through and including version 4.22.6. The plugin is identified by CPE wordpress/plugin/leaky-paywall. Detailed version information and remediation guidance is available via the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/leaky-paywall/vulnerability/wordpress-leaky-paywall-plugin-4-22-5-broken-access-control-vulnerability?_s_id=cve.

RemediationAI

Upgrade Leaky Paywall to a version newer than 4.22.6 immediately; consult the vendor advisory at Patchstack for the exact patched release version. If immediate upgrade is not feasible, review and reinforce access control logic by ensuring all protected endpoints validate user subscription status and permission levels before serving gated content, and implement additional authentication or authorization layers at the WordPress application level. Verify that all API endpoints and content delivery mechanisms properly enforce the plugin's security levels.

Share

CVE-2025-66124 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy