Skip to main content

CVE-2025-66150

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.4 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 19:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in merkulove Appender appender allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Appender: from n/a through <= 1.1.1.

AnalysisAI

Missing authorization in the merkulove Appender WordPress plugin versions through 1.1.1 allows authenticated attackers to bypass access control checks and exploit incorrectly configured security levels, potentially gaining unauthorized access to restricted functionality or data. EPSS probability is minimal at 0.05%, and no public exploit code or active exploitation has been reported.

Technical ContextAI

The vulnerability stems from a CWE-862 (Missing Authorization) flaw in access control implementation within the Appender plugin. This class of weakness occurs when an application fails to properly verify that a user has sufficient privileges to perform a requested action before granting access. In WordPress plugin architecture, this typically manifests when capability checks (such as current_user_can() or similar permission-validation functions) are either absent or improperly implemented in action handlers, AJAX endpoints, or admin pages. The plugin's access control security levels are not properly enforced, allowing users with lower privileges to access functions intended for higher-privileged roles.

Affected ProductsAI

merkulove Appender WordPress plugin versions from an unspecified baseline through version 1.1.1 are affected. The CPE for this plugin would typically be cpe:2.3:a:merkulove:appender:*:*:*:*:*:wordpress:*:* with version constraint <=1.1.1. The vulnerability was reported and documented by Patchstack in their WordPress plugin vulnerability database.

RemediationAI

Users should update the merkulove Appender plugin to the latest available version beyond 1.1.1 as soon as practical. Visit the WordPress plugin repository or the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/appender/vulnerability/wordpress-appender-plugin-1-1-1-broken-access-control-vulnerability to confirm the patched version. As a temporary workaround, restrict access to the WordPress backend to trusted administrators only and monitor user activity logs for unauthorized permission escalation attempts. Administrators should verify that user roles and capabilities are correctly assigned and that no unexpected privilege elevations have occurred on affected installations.

Share

CVE-2025-66150 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy