Skip to main content

CVE-2025-66144

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.4 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 20:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in merkulove Worker for Elementor worker-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Worker for Elementor: from n/a through <= 1.0.10.

AnalysisAI

Missing authorization controls in the merkulove Worker for Elementor WordPress plugin (versions through 1.0.10) allow unauthenticated or low-privileged users to exploit incorrectly configured access control mechanisms. The vulnerability stems from CWE-862 (Missing Authorization) and enables attackers to perform unauthorized actions without proper privilege verification, potentially affecting sites running vulnerable plugin versions.

Technical ContextAI

The Worker for Elementor plugin is a WordPress extension (CPE: wp:plugin:worker-elementor) that extends the Elementor page builder. The vulnerability involves improper implementation of access control checks (CWE-862: Missing Authorization), a common WordPress security issue where admin or restricted functions are callable by unauthenticated or low-privileged users. This typically occurs when nonces are missing, improperly validated, or capability checks (is_admin(), current_user_can()) are not enforced on AJAX endpoints, REST routes, or other callable hooks. Without proper authorization verification, attackers can directly invoke sensitive plugin functions.

Affected ProductsAI

The vulnerability affects the merkulove Worker for Elementor WordPress plugin in versions 1.0.10 and earlier. The plugin is distributed via the WordPress plugin repository. Full details and vendor advisory are available at https://patchstack.com/database/Wordpress/Plugin/worker-elementor/vulnerability/wordpress-worker-for-elementor-plugin-1-0-10-broken-access-control-vulnerability?_s_id=cve

RemediationAI

Update the Worker for Elementor plugin to a patched version newer than 1.0.10 as soon as available from the WordPress plugin repository or via the merkulove vendor website. Site administrators should immediately audit plugin settings and confirm that access control restrictions are properly enforced; if a patched version is not yet released, consider disabling the plugin temporarily until a fix is published. The Patchstack advisory at the above URL should be checked for the exact patched version number and additional mitigation guidance.

Share

CVE-2025-66144 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy