CVE-2025-66146

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 20:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in merkulove Logger for Elementor logger-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Logger for Elementor: from n/a through <= 1.0.9.

Analysis

Missing authorization in merkulove Logger for Elementor plugin through version 1.0.9 allows attackers to bypass access controls and exploit incorrectly configured security levels. Unauthenticated or low-privileged users can access protected functionality due to absent or insufficient authorization checks. The vulnerability has low exploitation probability (EPSS 0.05%) and no confirmed public exploit code or active exploitation reported.

Technical Context

The vulnerability stems from CWE-862 (Missing Authorization), a class of access control flaws where the application fails to verify that a user has permission to perform a requested action. In the Logger for Elementor WordPress plugin, this manifests as missing or improperly configured authorization checks on sensitive endpoints or administrative functions. The plugin is built as a WordPress extension (CPE: wordpress plugin logger-elementor) and relies on WordPress's permission and capability framework; the flaw indicates that plugin code does not properly invoke or check required WordPress capabilities (such as manage_options or plugin-specific caps) before granting access to logging or configuration features. This allows attackers to manipulate access control security levels without proper credential or role validation.

Affected Products

merkulove Logger for Elementor plugin for WordPress, versions 1.0.9 and earlier. The plugin is identified by CPE wordpress plugin logger-elementor. The vulnerability affects all installations of this plugin up to and including version 1.0.9. Further details and advisory information are available at https://patchstack.com/database/Wordpress/Plugin/logger-elementor/vulnerability/wordpress-logger-for-elementor-plugin-1-0-9-broken-access-control-vulnerability.

Remediation

Update the merkulove Logger for Elementor plugin to version 1.0.10 or later, which should contain authorization fixes to properly enforce access control checks. Site administrators should navigate to WordPress Plugins dashboard, locate Logger for Elementor, and apply the available update. If an immediate update is not possible, consider temporarily disabling the plugin until a patched version is installed. Verify in WordPress user roles and capabilities settings that only authorized administrators can access logging features. For detailed patching guidance, refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/logger-elementor/vulnerability/wordpress-logger-for-elementor-plugin-1-0-9-broken-access-control-vulnerability.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +0
POC: 0

Share

CVE-2025-66146 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy