CVE-2025-66151

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 19:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in merkulove Countdowner for Elementor countdowner-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Countdowner for Elementor: from n/a through <= 1.0.4.

Analysis

Missing authorization in merkulove Countdowner for Elementor plugin (versions up to 1.0.4) allows unauthenticated attackers to exploit incorrectly configured access control security levels, potentially enabling unauthorized access to plugin functionality. With an EPSS score of 0.05% (17th percentile), this vulnerability represents low real-world exploitation probability despite the authorization bypass classification.

Technical Context

The vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control flaw where the plugin fails to properly validate whether users have permission to perform specific actions or access sensitive functionality. This class of vulnerability typically occurs in WordPress plugins when capability checks are either missing entirely, applied inconsistently, or enforced at the wrong layer of the application. The Countdowner for Elementor plugin, which integrates with the Elementor page builder framework, appears to expose functionality that should be restricted based on user roles or capabilities without proper authorization gates.

Affected Products

The vulnerability affects merkulove Countdowner for Elementor plugin versions through 1.0.4. The plugin integrates with WordPress and the Elementor page builder framework. Detailed version ranges and CPE identifiers are not explicitly provided in available data, but the advisory indicates the vulnerability exists from release through version 1.0.4, suggesting all public versions up to that release are affected. Refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/countdowner-elementor/vulnerability/wordpress-countdowner-for-elementor-plugin-1-0-4-broken-access-control-vulnerability for vendor confirmation and patch status.

Remediation

Site administrators using Countdowner for Elementor should upgrade to a patched version released after 1.0.4. Consult the plugin's release notes or the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/countdowner-elementor/vulnerability/wordpress-countdowner-for-elementor-plugin-1-0-4-broken-access-control-vulnerability) for the specific minimum patched version. If an immediate upgrade is not possible, restrict plugin access through WordPress user role management, limiting use to trusted administrators only, and audit plugin settings to ensure no sensitive configurations are exposed to lower-privilege users. Disable the plugin entirely if immediate patching is unavailable and high-privilege user accounts cannot be restricted.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +0
POC: 0

Share

CVE-2025-66151 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy