Skip to main content

CVE-2025-66146

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.4 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 20:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in merkulove Logger for Elementor logger-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Logger for Elementor: from n/a through <= 1.0.9.

AnalysisAI

Missing authorization in merkulove Logger for Elementor plugin through version 1.0.9 allows attackers to bypass access controls and exploit incorrectly configured security levels. Unauthenticated or low-privileged users can access protected functionality due to absent or insufficient authorization checks. The vulnerability has low exploitation probability (EPSS 0.05%) and no confirmed public exploit code or active exploitation reported.

Technical ContextAI

The vulnerability stems from CWE-862 (Missing Authorization), a class of access control flaws where the application fails to verify that a user has permission to perform a requested action. In the Logger for Elementor WordPress plugin, this manifests as missing or improperly configured authorization checks on sensitive endpoints or administrative functions. The plugin is built as a WordPress extension (CPE: wordpress plugin logger-elementor) and relies on WordPress's permission and capability framework; the flaw indicates that plugin code does not properly invoke or check required WordPress capabilities (such as manage_options or plugin-specific caps) before granting access to logging or configuration features. This allows attackers to manipulate access control security levels without proper credential or role validation.

Affected ProductsAI

merkulove Logger for Elementor plugin for WordPress, versions 1.0.9 and earlier. The plugin is identified by CPE wordpress plugin logger-elementor. The vulnerability affects all installations of this plugin up to and including version 1.0.9. Further details and advisory information are available at https://patchstack.com/database/Wordpress/Plugin/logger-elementor/vulnerability/wordpress-logger-for-elementor-plugin-1-0-9-broken-access-control-vulnerability.

RemediationAI

Update the merkulove Logger for Elementor plugin to version 1.0.10 or later, which should contain authorization fixes to properly enforce access control checks. Site administrators should navigate to WordPress Plugins dashboard, locate Logger for Elementor, and apply the available update. If an immediate update is not possible, consider temporarily disabling the plugin until a patched version is installed. Verify in WordPress user roles and capabilities settings that only authorized administrators can access logging features. For detailed patching guidance, refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/logger-elementor/vulnerability/wordpress-logger-for-elementor-plugin-1-0-9-broken-access-control-vulnerability.

Share

CVE-2025-66146 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy