CVE-2025-66144

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 20:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in merkulove Worker for Elementor worker-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Worker for Elementor: from n/a through <= 1.0.10.

Analysis

Missing authorization controls in the merkulove Worker for Elementor WordPress plugin (versions through 1.0.10) allow unauthenticated or low-privileged users to exploit incorrectly configured access control mechanisms. The vulnerability stems from CWE-862 (Missing Authorization) and enables attackers to perform unauthorized actions without proper privilege verification, potentially affecting sites running vulnerable plugin versions.

Technical Context

The Worker for Elementor plugin is a WordPress extension (CPE: wp:plugin:worker-elementor) that extends the Elementor page builder. The vulnerability involves improper implementation of access control checks (CWE-862: Missing Authorization), a common WordPress security issue where admin or restricted functions are callable by unauthenticated or low-privileged users. This typically occurs when nonces are missing, improperly validated, or capability checks (is_admin(), current_user_can()) are not enforced on AJAX endpoints, REST routes, or other callable hooks. Without proper authorization verification, attackers can directly invoke sensitive plugin functions.

Affected Products

The vulnerability affects the merkulove Worker for Elementor WordPress plugin in versions 1.0.10 and earlier. The plugin is distributed via the WordPress plugin repository. Full details and vendor advisory are available at https://patchstack.com/database/Wordpress/Plugin/worker-elementor/vulnerability/wordpress-worker-for-elementor-plugin-1-0-10-broken-access-control-vulnerability?_s_id=cve

Remediation

Update the Worker for Elementor plugin to a patched version newer than 1.0.10 as soon as available from the WordPress plugin repository or via the merkulove vendor website. Site administrators should immediately audit plugin settings and confirm that access control restrictions are properly enforced; if a patched version is not yet released, consider disabling the plugin temporarily until a fix is published. The Patchstack advisory at the above URL should be checked for the exact patched version number and additional mitigation guidance.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +0
POC: 0

Share

CVE-2025-66144 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy