CVE-2025-66145
Lifecycle Timeline
2Description
Missing Authorization vulnerability in merkulove Worker for WPBakery worker-wpbakery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Worker for WPBakery: from n/a through <= 1.1.1.
Analysis
Missing authorization in Worker for WPBakery plugin versions through 1.1.1 allows attackers to exploit incorrectly configured access control, enabling unauthorized actions through broken access control mechanisms. The vulnerability affects WordPress installations running this plugin and could allow unauthenticated or low-privileged users to bypass security restrictions, though the specific attack surface and impact are limited by low EPSS probability (0.05%) and minimal public awareness.
Technical Context
This vulnerability stems from CWE-862 (Missing Authorization), a class of flaw where the application fails to properly implement access control checks before permitting sensitive operations. The Worker for WPBakery plugin, which integrates WPBakery (Visual Composer) with WordPress, appears to lack proper capability checks or role-based access controls on certain functions. The vulnerability likely affects plugin functionality that should be restricted to authenticated administrators or specific roles but is instead accessible to unauthorized users. The CPE context indicates this is a WordPress plugin vulnerability affecting versions up to and including 1.1.1.
Affected Products
Worker for WPBakery (also referred to as merkulove Worker for WPBakery) versions through 1.1.1 are affected. The plugin is distributed via WordPress.org plugin repository and is identified in Patchstack's vulnerability database. No specific patch version has been released or confirmed available as of the analysis date, leaving all installations running version 1.1.1 and earlier potentially vulnerable.
Remediation
Users should immediately update Worker for WPBakery to a version newer than 1.1.1 if a patched release becomes available; check the official plugin repository or vendor advisory at https://patchstack.com/database/Wordpress/Plugin/worker-wpbakery/vulnerability/wordpress-worker-for-wpbakery-plugin-1-1-1-broken-access-control-vulnerability for the latest patched version. If no official patch is released in a timely manner, consider disabling the plugin and using alternative WPBakery integration solutions. Site administrators should audit user roles and capabilities to minimize impact of unauthorized access in the interim. Monitor Patchstack and WordPress security channels for patch availability.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today