CVE-2025-66101 in CBX Bookmark & Favorite Plugin
Summary
by MITRE • 11/21/2025
Missing Authorization vulnerability in Sabuj Kundu CBX Bookmark & Favorite cbxwpbookmark allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CBX Bookmark & Favorite: from n/a through <= 2.0.1.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/21/2025
The vulnerability identified as CVE-2025-66101 represents a critical authorization flaw within the Sabuj Kundu CBX Bookmark & Favorite WordPress plugin, specifically impacting versions ranging from the initial release through version 2.0.1. This security weakness stems from improperly configured access control mechanisms that allow unauthorized users to exploit functionality intended for privileged administrators. The plugin's bookmark and favorite management features contain insufficient authorization checks, creating a pathway for attackers to manipulate user data and potentially escalate their privileges within the affected WordPress environment.
This vulnerability manifests as a failure in the plugin's access control implementation, where proper authentication and authorization checks are either missing or incorrectly configured. The flaw enables attackers to bypass normal security boundaries that should restrict access to bookmark management functions, allowing them to perform operations such as adding, modifying, or deleting bookmarks and favorites that should be restricted to authorized administrators. The issue falls under the category of inadequate access control as defined by CWE-284, which specifically addresses improper access control mechanisms that allow unauthorized users to gain access to resources or perform actions they should not be permitted to execute.
The operational impact of this vulnerability extends beyond simple data manipulation, potentially enabling attackers to establish persistent access within the WordPress environment. An attacker who successfully exploits this weakness could gain the ability to modify user bookmarks, potentially including malicious links or references that could be used for social engineering attacks. The vulnerability also poses a risk to data integrity and confidentiality, as unauthorized users could access or alter sensitive bookmark information that may contain internal network resources, administrative interfaces, or other privileged information. This flaw particularly affects WordPress installations where the plugin is actively used and where bookmark functionality is leveraged for user management or administrative tasks.
Security professionals should consider this vulnerability in relation to the ATT&CK framework, particularly under the techniques related to privilege escalation and persistence. The missing authorization control creates opportunities for attackers to move laterally within the system and potentially establish footholds for further exploitation. Organizations using the affected plugin should immediately implement mitigations including updating to the latest version of the plugin, reviewing access control configurations, and monitoring for unauthorized access attempts. Additionally, administrators should conduct comprehensive security audits of their WordPress installations to identify similar authorization flaws in other plugins or themes that might be susceptible to similar attacks. The vulnerability underscores the importance of proper access control implementation and the need for regular security assessments to prevent exploitation of misconfigured security controls.