CVE-2025-66150

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 19:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in merkulove Appender appender allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Appender: from n/a through <= 1.1.1.

Analysis

Missing authorization in the merkulove Appender WordPress plugin versions through 1.1.1 allows authenticated attackers to bypass access control checks and exploit incorrectly configured security levels, potentially gaining unauthorized access to restricted functionality or data. EPSS probability is minimal at 0.05%, and no public exploit code or active exploitation has been reported.

Technical Context

The vulnerability stems from a CWE-862 (Missing Authorization) flaw in access control implementation within the Appender plugin. This class of weakness occurs when an application fails to properly verify that a user has sufficient privileges to perform a requested action before granting access. In WordPress plugin architecture, this typically manifests when capability checks (such as current_user_can() or similar permission-validation functions) are either absent or improperly implemented in action handlers, AJAX endpoints, or admin pages. The plugin's access control security levels are not properly enforced, allowing users with lower privileges to access functions intended for higher-privileged roles.

Affected Products

merkulove Appender WordPress plugin versions from an unspecified baseline through version 1.1.1 are affected. The CPE for this plugin would typically be cpe:2.3:a:merkulove:appender:*:*:*:*:*:wordpress:*:* with version constraint <=1.1.1. The vulnerability was reported and documented by Patchstack in their WordPress plugin vulnerability database.

Remediation

Users should update the merkulove Appender plugin to the latest available version beyond 1.1.1 as soon as practical. Visit the WordPress plugin repository or the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/appender/vulnerability/wordpress-appender-plugin-1-1-1-broken-access-control-vulnerability to confirm the patched version. As a temporary workaround, restrict access to the WordPress backend to trusted administrators only and monitor user activity logs for unauthorized permission escalation attempts. Administrators should verify that user roles and capabilities are correctly assigned and that no unexpected privilege elevations have occurred on affected installations.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +0
POC: 0

Share

CVE-2025-66150 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy