ZEEN101 Leaky Paywall CVE-2025-66124
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in ZEEN101 Leaky Paywall leaky-paywall allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Leaky Paywall: from n/a through <= 4.22.6.
AnalysisAI
Unauthenticated remote attackers can bypass access controls in ZEEN101 Leaky Paywall WordPress plugin versions up to 4.22.6, gaining unauthorized access to restricted content through incorrectly configured security levels. The vulnerability requires no user interaction and can be exploited over the network, though it is limited to information disclosure (CVSS 5.3, EPSS 0.04%). No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
The Leaky Paywall plugin (CPE: wordpress/plugin/leaky-paywall) implements access control mechanisms to restrict content behind paywalls and subscription tiers. The vulnerability stems from CWE-862 (Missing Authorization), indicating that the plugin fails to properly enforce authorization checks when users attempt to access protected resources. Instead of validating user privileges and subscription status before granting access to gated content, the plugin's security levels are misconfigured, allowing unauthenticated users to bypass intended access restrictions. This is a common pattern in WordPress plugins where authentication and authorization logic is either omitted from critical endpoints or relies on insecure assumptions about request origins and user identity.
Affected ProductsAI
ZEEN101 Leaky Paywall WordPress plugin is affected in all versions from an unspecified baseline through and including version 4.22.6. The plugin is identified by CPE wordpress/plugin/leaky-paywall. Detailed version information and remediation guidance is available via the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/leaky-paywall/vulnerability/wordpress-leaky-paywall-plugin-4-22-5-broken-access-control-vulnerability?_s_id=cve.
RemediationAI
Upgrade Leaky Paywall to a version newer than 4.22.6 immediately; consult the vendor advisory at Patchstack for the exact patched release version. If immediate upgrade is not feasible, review and reinforce access control logic by ensuring all protected endpoints validate user subscription status and permission levels before serving gated content, and implement additional authentication or authorization layers at the WordPress application level. Verify that all API endpoints and content delivery mechanisms properly enforce the plugin's security levels.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today