Skip to main content

CVE-2025-66148

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.4 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 20:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in merkulove Conformer for Elementor conformer-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Conformer for Elementor: from n/a through <= 1.0.7.

AnalysisAI

Missing authorization controls in Conformer for Elementor WordPress plugin version 1.0.7 and earlier allow attackers to exploit incorrectly configured access control security levels, potentially enabling unauthorized access to plugin functionality. The vulnerability stems from broken access control (CWE-862) without explicit authentication requirements, affecting all users of the plugin through version 1.0.7. While EPSS score is minimal at 0.05%, the nature of access control bypasses warrants assessment in WordPress environments where the plugin is deployed.

Technical ContextAI

Conformer for Elementor is a WordPress plugin that integrates with Elementor page builder. The vulnerability is rooted in CWE-862 (Missing Authorization), a class of flaw where the application fails to properly verify that a user has authorization to perform requested actions. This differs from authentication (verifying identity) and instead concerns authorization (verifying permissions). The broken access control allows attackers to interact with plugin functionality that should be restricted based on user roles or capabilities. WordPress plugins typically implement authorization through capability checks (is_user_logged_in(), current_user_can()) or nonce verification; the missing implementation of these controls in Conformer for Elementor creates exposure regardless of whether the attacker is authenticated to WordPress.

Affected ProductsAI

Conformer for Elementor by merkulove, all versions from initial release through 1.0.7, is affected. The plugin is distributed via the WordPress.org plugin repository (CPE data unavailable from input). Users running any version of Conformer for Elementor at or below version 1.0.7 should assume their installations are vulnerable. Specific version information and advisory details are available via the Patchstack database reference.

RemediationAI

Update Conformer for Elementor to a version newer than 1.0.7; check the official plugin repository or Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/conformer-elementor/vulnerability/wordpress-conformer-for-elementor-plugin-1-0-7-broken-access-control-vulnerability for the patched release version. If a patched version is not yet released, temporarily deactivate the plugin until an update becomes available. Verify via the WordPress admin dashboard (Plugins > Installed Plugins) that the plugin has been updated, and audit any user roles or data that may have been exposed while the vulnerable version was active. Consider implementing additional capability checks and access control audits on any custom-developed integrations with this plugin.

Share

CVE-2025-66148 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy