CVE-2025-66149

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 19:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in merkulove UnGrabber ungrabber allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UnGrabber: from n/a through <= 3.1.3.

Analysis

Missing authorization in merkulove UnGrabber WordPress plugin version 3.1.3 and earlier allows unauthenticated attackers to exploit incorrectly configured access control to bypass security restrictions. The vulnerability stems from CWE-862 (Missing Authorization) and has been identified in the plugin's access control implementation, potentially enabling attackers to perform unauthorized actions without proper privilege verification.

Technical Context

The vulnerability is rooted in CWE-862 (Missing Authorization), a weakness where software fails to enforce access control checks on sensitive operations or resources. In the context of the UnGrabber WordPress plugin, this indicates that certain functionality or endpoints lack proper authorization checks to verify user privileges before allowing access. This is distinct from authentication bypass-the plugin may verify identity but fails to validate that the authenticated (or unauthenticated) user has permission to perform the requested action. WordPress plugins are particularly susceptible to this class of vulnerability when custom API endpoints, administrative functions, or data-retrieval operations omit capability checks (e.g., missing current_user_can() calls in WordPress context).

Affected Products

UnGrabber plugin by merkulove affects all versions from the earliest release through version 3.1.3 and earlier. The WordPress plugin is available through the official WordPress plugin repository and is identified by the CPE context of a WordPress plugin. Users of any version up to and including 3.1.3 are affected. Additional details are available in the Patchstack vulnerability database entry.

Remediation

Update merkulove UnGrabber to a version later than 3.1.3 (exact patched version number not specified in available advisories). Users should immediately upgrade the plugin through the WordPress admin dashboard (Plugins > Installed Plugins) or manually upload the latest version. Until an update is available and deployed, site administrators should restrict access to the UnGrabber plugin functionality through WordPress user role and capability management, or temporarily disable the plugin if it is not critical to site operations. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/ungrabber/vulnerability/wordpress-ungrabber-plugin-3-1-3-broken-access-control-vulnerability) for definitive patch version information and additional mitigation guidance.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +0
POC: 0

Share

CVE-2025-66149 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy