CVE-2025-66132

MEDIUM
2025-12-16 [email protected]
Authentication Bypass
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 16, 2025 - 09:15 nvd
MEDIUM 6.5

DescriptionNVD

Authorization Bypass Through User-Controlled Key vulnerability in FAPI Business s.r.o. FAPI Member fapi-member allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FAPI Member: from n/a through <= 2.2.29.

AnalysisAI

Authorization bypass in FAPI Member WordPress plugin through version 2.2.29 allows unauthenticated remote attackers to access or modify resources via insecure direct object references (IDOR) exploiting misconfigured access control security levels. The vulnerability requires no authentication, low attack complexity, and results in confidentiality and integrity impact without availability compromise. EPSS score of 0.04% indicates minimal real-world exploitation probability despite the moderate CVSS score.

Technical ContextAI

FAPI Member is a WordPress plugin (CPE not explicitly provided but referenced as WordPress plugin in sources) that implements membership and authorization controls. The vulnerability stems from CWE-639 (Authorization Through User-Controlled Key), a class of access control flaw where authorization decisions depend on user-controllable parameters without proper validation. In this case, the plugin fails to properly validate or enforce access control security levels when processing user-supplied identifiers or keys, allowing attackers to reference objects they should not have permission to access. This is classified as an Insecure Direct Object Reference (IDOR) vulnerability, where sequential or enumerable resource identifiers can be manipulated to bypass intended authorization boundaries.

Affected ProductsAI

FAPI Member WordPress plugin versions from an unspecified baseline through version 2.2.29 inclusive are affected. The plugin is maintained by FAPI Business s.r.o. and is hosted in the WordPress plugin repository. Vulnerable installations include all deployments running version 2.2.29 or earlier. The vendor advisory and detailed vulnerability information are available at https://patchstack.com/database/Wordpress/Plugin/fapi-member/vulnerability/wordpress-fapi-member-plugin-2-2-26-insecure-direct-object-references-idor-vulnerability?_s_id=cve.

RemediationAI

Immediately update FAPI Member to version 2.2.30 or later, which addresses the authorization bypass flaw. The patch corrects the access control validation logic to properly verify user permissions against access control security levels before granting access to resources. For WordPress administrators, navigate to Plugins > Installed Plugins, locate FAPI Member, and apply the available update through the WordPress admin dashboard. If automatic updates are disabled, manually download the patched version from the WordPress plugin repository or the vendor's site. Until patching is feasible, restrict access to FAPI Member functionality through reverse proxy rules or Web Application Firewall (WAF) policies to limit exposure; however, patching is strongly preferred as this is a complete fix.

Share

CVE-2025-66132 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy