CVE-2025-66155
Lifecycle Timeline
2Description
Missing Authorization vulnerability in merkulove Questionar for Elementor questionar-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Questionar for Elementor: from n/a through <= 1.1.7.
Analysis
Missing authorization controls in merkulove Questionar for Elementor plugin versions up to 1.1.7 allow attackers to exploit improperly configured access control mechanisms, potentially enabling unauthorized access to questionnaire data or administrative functions. The vulnerability stems from inadequate privilege validation and affects all users of the vulnerable plugin versions. With an EPSS score of 0.02% and no CVSS severity assigned, real-world exploitation likelihood is currently minimal, though the authentication bypass nature of the flaw warrants patching.
Technical Context
The vulnerability is classified as CWE-862 (Missing Authorization), indicating that the Questionar for Elementor plugin fails to properly enforce access control checks before allowing users to perform sensitive operations. This is a common class of flaw in WordPress plugins where capability checks or nonce validation are either absent or improperly implemented. The issue affects the WordPress plugin ecosystem, where plugins extend Elementor (a page builder) to add questionnaire functionality. Missing authorization vulnerabilities can allow low-privileged users or unauthenticated visitors to perform actions reserved for administrators or specific user roles.
Affected Products
merkulove Questionar for Elementor plugin for WordPress is affected in versions through 1.1.7. The plugin is a WordPress extension available from the official plugin repository and integrates with the Elementor page builder to provide questionnaire functionality. Exact CPE details are not provided in available data, but the WordPress Software Foundation slug is 'questionar-elementor' per the Patchstack reference.
Remediation
Update the Questionar for Elementor plugin to the latest available version beyond 1.1.7. Users should navigate to WordPress Dashboard > Plugins > Installed Plugins, locate 'Questionar for Elementor', and click 'Update Now' if a newer version is available. Verify the updated version addresses CWE-862 authorization checks by reviewing the plugin's changelog or the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/questionar-elementor/vulnerability/wordpress-questionar-for-elementor-plugin-1-1-7-broken-access-control-vulnerability. If automatic updates are enabled, the patch will be applied automatically. No workarounds are recommended; patching is the primary mitigation.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today