Skip to main content

CVE-2025-66153

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.4 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 19:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in merkulove Headinger for Elementor headinger-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Headinger for Elementor: from n/a through <= 1.1.4.

AnalysisAI

Missing authorization controls in Headinger for Elementor plugin (versions up to 1.1.4) permit unauthenticated or insufficiently privileged attackers to bypass access control restrictions and perform unauthorized actions. The vulnerability stems from incorrectly configured security levels that fail to validate user permissions before granting access to sensitive functionality, enabling attackers to exploit the plugin's features beyond their intended authorization scope.

Technical ContextAI

Headinger for Elementor is a WordPress plugin that extends Elementor page builder functionality. The vulnerability exists in the plugin's access control implementation, classified under CWE-862 (Missing Authorization), which indicates the application fails to properly verify that a user is authorized to perform specific operations. Rather than a cryptographic or injection flaw, this is an authorization architecture issue where security checks are either missing entirely or misconfigured to incorrectly trust user-supplied data or insufficient privilege validation. The plugin likely contains endpoints or functions that should be restricted to administrators or specific user roles but instead process requests without proper capability verification.

Affected ProductsAI

Headinger for Elementor plugin versions from initial release through version 1.1.4 are affected. The vulnerability impacts WordPress installations running this plugin on affected version branches. Specific CPE data is not provided in the available intelligence, but the plugin can be identified via WordPress plugin repositories and the reported vendor source (Patchstack database entry for merkulove Headinger for Elementor).

RemediationAI

The primary remediation is to update Headinger for Elementor to a version released after 1.1.4 that includes the authorization control fixes. Users should navigate to the WordPress dashboard, access the Plugins section, and update the plugin to the latest stable release from the official plugin repository. Administrators should verify the update is available by checking the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/headinger-elementor/vulnerability/wordpress-headinger-for-elementor-plugin-1-1-4-broken-access-control-vulnerability. Until patching is completed, restrict plugin administrative access to trusted users only and audit user roles to ensure least-privilege configuration. Monitor plugin change logs and vendor communications for confirmation of the authorization fix in the patched version.

Share

CVE-2025-66153 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy