CVE-2025-66156

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 17:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in merkulove Watcher for Elementor watcher-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Watcher for Elementor: from n/a through <= 1.0.9.

Analysis

Missing authorization in merkulove Watcher for Elementor plugin (versions up to 1.0.9) allows unauthenticated attackers to bypass access controls and exploit incorrectly configured security levels, potentially enabling unauthorized access to sensitive functionality or data. The vulnerability carries an EPSS score of 0.02% (percentile 4%), indicating very low observed exploitation probability, with no public exploit code or active exploitation confirmed at the time of analysis.

Technical Context

This vulnerability stems from improper implementation of access control checks in the Watcher for Elementor WordPress plugin, classified under CWE-862 (Missing Authorization). The plugin fails to enforce proper authentication and authorization mechanisms when handling requests, allowing attackers to bypass intended security restrictions. WordPress plugins that integrate with Elementor page builder are particularly sensitive to access control flaws, as they often interact with page creation, editing, and user role management functions. The root cause is the absence of adequate capability checks or permission validation before allowing sensitive operations.

Affected Products

The vulnerability affects merkulove Watcher for Elementor WordPress plugin versions up to and including 1.0.9. The plugin is available on the WordPress Plugin Directory and is identified by the slug 'watcher-elementor'. All installations running version 1.0.9 or earlier are affected by this missing authorization flaw.

Remediation

Update merkulove Watcher for Elementor to a version newer than 1.0.9 immediately. Users should navigate to their WordPress dashboard, locate the Watcher for Elementor plugin in the Plugins section, and apply the available update. Consult the plugin's changelog and the Patchstack vulnerability database (https://patchstack.com/database/Wordpress/Plugin/watcher-elementor/vulnerability/wordpress-watcher-for-elementor-plugin-1-0-9-broken-access-control-vulnerability) for confirmation of the patched version. As a temporary measure pending update availability, site administrators should restrict access to the plugin's functionality through WordPress user role management until a patched version is available.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-66156 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy