CVE-2025-66152
Lifecycle Timeline
2Description
Missing Authorization vulnerability in merkulove Criptopayer for Elementor criptopayer-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Criptopayer for Elementor: from n/a through <= 1.0.1.
Analysis
Criptopayer for Elementor WordPress plugin through version 1.0.1 contains a missing authorization vulnerability allowing unauthenticated attackers to exploit incorrectly configured access control security levels and bypass authentication mechanisms. The vulnerability stems from insufficient validation of user permissions, enabling unauthorized access to sensitive plugin functionality. With an EPSS score of 0.05% (17th percentile), real-world exploitation probability is currently low, and no active exploitation or public proof-of-concept code has been reported.
Technical Context
This is a CWE-862 (Missing Authorization) vulnerability in a WordPress plugin for Elementor, a page builder platform. The vulnerability arises from the plugin's failure to properly implement access control checks before allowing users to execute privileged actions or access restricted resources. WordPress plugins typically handle authorization through capabilities and roles; this plugin appears to expose sensitive functionality without verifying the current user's permissions, allowing any visitor (authenticated or not, depending on the specific endpoint) to interact with protected features. The plugin integrates cryptocurrency payment processing via the Criptopayer service, making unauthorized access to payment-related functions a significant concern.
Affected Products
Criptopayer for Elementor WordPress plugin version 1.0.1 and all earlier versions are affected. The plugin is identified by the CPE implicit reference in the advisory as the WordPress plugin 'criptopayer-elementor'. Affected installations include any WordPress site running this plugin up to and including version 1.0.1.
Remediation
Update Criptopayer for Elementor to a patched version beyond 1.0.1 as soon as it becomes available. Check the plugin repository or vendor advisory at https://patchstack.com/database/Wordpress/Plugin/criptopayer-elementor/vulnerability/wordpress-criptopayer-for-elementor-plugin-1-0-1-broken-access-control-vulnerability for the latest fixed release. If a patched version is not yet released, consider disabling the plugin or restricting access via WordPress user roles and network firewalls until an update is available. Ensure that any cryptocurrency payment integrations are reviewed for unauthorized access by monitoring payment logs and transaction history.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today