CVE-2025-66100 – This CVE describes a missing authorization vuln... (How to Fix)

Q: What is the severity of CVE-2025-66100?

CVE-2025-66100 has a CVSS score of 6.5 (MEDIUM). This CVE describes a missing authorization vulnerability in the RestroPress WordPress plugin that allows attackers to bypass access controls. It affects all RestroPress installations running versions up to and including 3.2.3.5, potentially enabling unauthorized access to restricted functionality.

📋 TL;DR

This CVE describes a missing authorization vulnerability in the RestroPress WordPress plugin that allows attackers to bypass access controls. It affects all RestroPress installations running versions up to and including 3.2.3.5, potentially enabling unauthorized access to restricted functionality.

💻 Affected Systems

Products:

RestroPress WordPress Plugin

Versions: All versions up to and including 3.2.3.5

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations using vulnerable RestroPress versions regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify restaurant orders, access customer data, or manipulate payment information leading to financial loss and data breach.

🟠

Likely Case

Unauthorized users accessing administrative functions or customer data they shouldn't have permission to view.

🟢

If Mitigated

Proper access controls would prevent any unauthorized access, limiting impact to legitimate users only.

🌐 Internet-Facing: HIGH - WordPress plugins are typically internet-facing and this vulnerability requires no authentication.

🏢 Internal Only: MEDIUM - Internal systems could still be vulnerable if the plugin is installed internally.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Broken access control vulnerabilities are typically easy to exploit once discovered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.3.6 or later

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/restropress/vulnerability/wordpress-restropress-plugin-3-2-3-5-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find RestroPress and click 'Update Now'. 4. Verify version is 3.2.3.6 or higher.

🔧 Temporary Workarounds

Disable RestroPress Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate restropress

Restrict Access via Web Application Firewall

all

Block suspicious requests to RestroPress endpoints

🧯 If You Can't Patch

Implement strict network segmentation to isolate the WordPress instance
Enable detailed logging and monitoring for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → RestroPress version

Check Version:

wp plugin get restropress --field=version

Verify Fix Applied:

Verify RestroPress version is 3.2.3.6 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to RestroPress admin endpoints
Unusual user activity from non-admin accounts

Network Indicators:

HTTP requests to /wp-content/plugins/restropress/ with suspicious parameters

SIEM Query:

source="wordpress" AND (uri_path="/wp-content/plugins/restropress/*" AND user_role!="administrator")

📊 Metadata

CVE ID: CVE-2025-66100

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-862

EPSS Score: 0.03% exploit probability (9.5th percentile)

Published: December 18, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/restropress/vulnerability/wordpress-restropress-plugin-3-2-3-5-broken-access-control-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66100, you might also want to check these: