CVE-2025-66158
Lifecycle Timeline
2Description
Missing Authorization vulnerability in merkulove Gmaper for Elementor gmaper-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gmaper for Elementor: from n/a through <= 1.0.9.
Analysis
Gmaper for Elementor plugin versions up to 1.0.9 contains a missing authorization vulnerability (CWE-862) that allows attackers to exploit incorrectly configured access control security levels, potentially bypassing authentication mechanisms to access restricted functionality. The vulnerability carries a 0.02% EPSS score (percentile 4%), indicating minimal real-world exploitation risk at present, with no public exploit code or active exploitation currently identified.
Technical Context
Gmaper for Elementor is a WordPress plugin that integrates Google Maps functionality with the Elementor page builder. The vulnerability stems from CWE-862 (Missing Authorization), a class of security flaw where access control checks are either absent or improperly implemented at the application layer. This typically means the plugin fails to verify user capabilities or roles before granting access to sensitive actions, API endpoints, or administrative functions. The root cause involves incorrectly configured access control security levels, which in the WordPress ecosystem usually manifests as missing capability checks (wp_verify_nonce failures, missing current_user_can() calls, or improper nonce validation) in AJAX handlers or REST endpoints exposed by the plugin.
Affected Products
Gmaper for Elementor is affected from version n/a through 1.0.9. The vulnerability is cataloged in the Patchstack WordPress plugin vulnerability database (CPE and exact product identifiers not provided in input). Users running any version of the plugin up to and including version 1.0.9 are potentially affected. The plugin integrates with Elementor page builder and WordPress installations.
Remediation
Users should upgrade Gmaper for Elementor to a version newer than 1.0.9 as soon as a patched release is available. Check the official plugin repository or vendor advisory at https://patchstack.com/database/Wordpress/Plugin/gmaper-elementor/vulnerability/wordpress-gmaper-for-elementor-plugin-1-0-9-broken-access-control-vulnerability for patch availability and updated version information. In the interim, site administrators should review and restrict user roles and capabilities in WordPress to minimize exposure; disable the plugin if it is not actively in use, and monitor access logs for unauthorized API or administrative action attempts related to Gmaper functionality.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today