Skip to main content

CVE-2025-66159

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.4 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 17:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in merkulove Walker for Elementor walker-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Walker for Elementor: from n/a through <= 1.1.6.

AnalysisAI

Missing authorization in Walker for Elementor plugin (versions through 1.1.6) allows unauthenticated attackers to exploit improperly configured access controls to bypass intended security restrictions and access unauthorized functionality. The vulnerability stems from inadequate permission validation in the plugin's WordPress implementation, enabling attackers to interact with protected features without proper authentication or role-based authorization checks.

Technical ContextAI

Walker for Elementor is a WordPress plugin that extends Elementor page builder functionality with custom walker elements. The vulnerability exploits CWE-862 (Missing Authorization), indicating that the plugin fails to implement proper permission verification before executing sensitive operations. WordPress plugins typically authenticate users via nonces, capability checks, and role-based access control (RBAC). This plugin's misconfiguration allows direct access to restricted endpoints or admin functionality by bypassing WordPress's standard authorization mechanisms. The issue affects all versions from initial release through 1.1.6, suggesting a fundamental design flaw in how the plugin validates user permissions across its API and internal function calls.

Affected ProductsAI

Walker for Elementor plugin by merkulove affects all versions from the initial release through and including version 1.1.6. The plugin is distributed via the WordPress plugin repository and is used to extend Elementor page builder with custom walker functionality. The vulnerability applies to any WordPress installation running the affected plugin versions regardless of site configuration or Elementor version.

RemediationAI

Update Walker for Elementor to a patched version released after 1.1.6. Users should navigate to WordPress Dashboard > Plugins > Installed Plugins, locate 'Walker for Elementor', and click 'Update' if available. If no update is displayed, check the Patchstack vulnerability database (https://patchstack.com/database/Wordpress/Plugin/walker-elementor/vulnerability/wordpress-walker-for-elementor-plugin-1-1-6-broken-access-control-vulnerability) for confirmation of patch release and exact version number. As a temporary measure, restrict plugin access via WordPress user role management or deactivate the plugin until a patched version is confirmed available.

Share

CVE-2025-66159 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy