Skip to main content

CVE-2025-66145

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.4 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 20:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in merkulove Worker for WPBakery worker-wpbakery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Worker for WPBakery: from n/a through <= 1.1.1.

AnalysisAI

Missing authorization in Worker for WPBakery plugin versions through 1.1.1 allows attackers to exploit incorrectly configured access control, enabling unauthorized actions through broken access control mechanisms. The vulnerability affects WordPress installations running this plugin and could allow unauthenticated or low-privileged users to bypass security restrictions, though the specific attack surface and impact are limited by low EPSS probability (0.05%) and minimal public awareness.

Technical ContextAI

This vulnerability stems from CWE-862 (Missing Authorization), a class of flaw where the application fails to properly implement access control checks before permitting sensitive operations. The Worker for WPBakery plugin, which integrates WPBakery (Visual Composer) with WordPress, appears to lack proper capability checks or role-based access controls on certain functions. The vulnerability likely affects plugin functionality that should be restricted to authenticated administrators or specific roles but is instead accessible to unauthorized users. The CPE context indicates this is a WordPress plugin vulnerability affecting versions up to and including 1.1.1.

Affected ProductsAI

Worker for WPBakery (also referred to as merkulove Worker for WPBakery) versions through 1.1.1 are affected. The plugin is distributed via WordPress.org plugin repository and is identified in Patchstack's vulnerability database. No specific patch version has been released or confirmed available as of the analysis date, leaving all installations running version 1.1.1 and earlier potentially vulnerable.

RemediationAI

Users should immediately update Worker for WPBakery to a version newer than 1.1.1 if a patched release becomes available; check the official plugin repository or vendor advisory at https://patchstack.com/database/Wordpress/Plugin/worker-wpbakery/vulnerability/wordpress-worker-for-wpbakery-plugin-1-1-1-broken-access-control-vulnerability for the latest patched version. If no official patch is released in a timely manner, consider disabling the plugin and using alternative WPBakery integration solutions. Site administrators should audit user roles and capabilities to minimize impact of unauthorized access in the interim. Monitor Patchstack and WordPress security channels for patch availability.

Share

CVE-2025-66145 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy