CVE-2025-66157
Lifecycle Timeline
2Description
Missing Authorization vulnerability in merkulove Sliper for Elementor sliper-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sliper for Elementor: from n/a through <= 1.0.10.
Analysis
Missing authorization in merkulove Sliper for Elementor plugin versions up to 1.0.10 allows attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from insufficient access control validation (CWE-862), enabling unauthenticated or low-privileged users to perform actions they should not be authorized to execute. With an EPSS score of 0.02% (4th percentile) indicating very low real-world exploitation likelihood, this issue represents a lower-priority authorization flaw compared to actively exploited vulnerabilities.
Technical Context
This vulnerability is rooted in CWE-862 (Missing Authorization), a category describing failures in access control enforcement where applications do not properly verify that users have appropriate permissions before allowing sensitive operations. In the context of the Sliper for Elementor WordPress plugin (a page builder component), the plugin fails to properly validate whether incoming requests have the required authorization credentials or role-based permissions before processing user requests. WordPress plugins typically rely on nonce verification, capability checks (using WordPress functions like current_user_can()), and role-based access control to enforce authorization; absence or misconfiguration of these mechanisms allows privilege escalation or cross-user action execution. The affected product is the merkulove Sliper for Elementor plugin running on WordPress sites with the Elementor page builder framework.
Affected Products
Sliper for Elementor by merkulove is affected in version 1.0.10 and all earlier versions. The plugin is distributed through the WordPress plugin repository and the CPE identifier is associated with the WordPress plugin ecosystem. Affected sites are those running WordPress with the Sliper for Elementor plugin installed and activated on the Elementor page builder. Detailed advisory information is available at the Patchstack vulnerability database entry: https://patchstack.com/database/Wordpress/Plugin/sliper-elementor/vulnerability/wordpress-sliper-for-elementor-plugin-1-0-10-broken-access-control-vulnerability.
Remediation
Update Sliper for Elementor to the latest version released after 1.0.10, which should include authorization controls and access validation fixes. Site administrators should navigate to WordPress Admin Dashboard > Plugins > Installed Plugins, locate Sliper for Elementor, and click 'Update' if available. If no update is immediately available, disable the plugin temporarily until a patched version is released by merkulove. Additionally, review user roles and capabilities assigned within the plugin settings to ensure only trusted administrators have access to sensitive features. Consult the Patchstack advisory at the provided reference for confirmation of patch availability and additional remediation guidance from the vendor.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today