Skip to main content

CVE-2025-66157

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.4 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 17:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in merkulove Sliper for Elementor sliper-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sliper for Elementor: from n/a through <= 1.0.10.

AnalysisAI

Missing authorization in merkulove Sliper for Elementor plugin versions up to 1.0.10 allows attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from insufficient access control validation (CWE-862), enabling unauthenticated or low-privileged users to perform actions they should not be authorized to execute. With an EPSS score of 0.02% (4th percentile) indicating very low real-world exploitation likelihood, this issue represents a lower-priority authorization flaw compared to actively exploited vulnerabilities.

Technical ContextAI

This vulnerability is rooted in CWE-862 (Missing Authorization), a category describing failures in access control enforcement where applications do not properly verify that users have appropriate permissions before allowing sensitive operations. In the context of the Sliper for Elementor WordPress plugin (a page builder component), the plugin fails to properly validate whether incoming requests have the required authorization credentials or role-based permissions before processing user requests. WordPress plugins typically rely on nonce verification, capability checks (using WordPress functions like current_user_can()), and role-based access control to enforce authorization; absence or misconfiguration of these mechanisms allows privilege escalation or cross-user action execution. The affected product is the merkulove Sliper for Elementor plugin running on WordPress sites with the Elementor page builder framework.

Affected ProductsAI

Sliper for Elementor by merkulove is affected in version 1.0.10 and all earlier versions. The plugin is distributed through the WordPress plugin repository and the CPE identifier is associated with the WordPress plugin ecosystem. Affected sites are those running WordPress with the Sliper for Elementor plugin installed and activated on the Elementor page builder. Detailed advisory information is available at the Patchstack vulnerability database entry: https://patchstack.com/database/Wordpress/Plugin/sliper-elementor/vulnerability/wordpress-sliper-for-elementor-plugin-1-0-10-broken-access-control-vulnerability.

RemediationAI

Update Sliper for Elementor to the latest version released after 1.0.10, which should include authorization controls and access validation fixes. Site administrators should navigate to WordPress Admin Dashboard > Plugins > Installed Plugins, locate Sliper for Elementor, and click 'Update' if available. If no update is immediately available, disable the plugin temporarily until a patched version is released by merkulove. Additionally, review user roles and capabilities assigned within the plugin settings to ensure only trusted administrators have access to sensitive features. Consult the Patchstack advisory at the provided reference for confirmation of patch availability and additional remediation guidance from the vendor.

Share

CVE-2025-66157 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy