CVE-2025-66159
Lifecycle Timeline
2Description
Missing Authorization vulnerability in merkulove Walker for Elementor walker-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Walker for Elementor: from n/a through <= 1.1.6.
Analysis
Missing authorization in Walker for Elementor plugin (versions through 1.1.6) allows unauthenticated attackers to exploit improperly configured access controls to bypass intended security restrictions and access unauthorized functionality. The vulnerability stems from inadequate permission validation in the plugin's WordPress implementation, enabling attackers to interact with protected features without proper authentication or role-based authorization checks.
Technical Context
Walker for Elementor is a WordPress plugin that extends Elementor page builder functionality with custom walker elements. The vulnerability exploits CWE-862 (Missing Authorization), indicating that the plugin fails to implement proper permission verification before executing sensitive operations. WordPress plugins typically authenticate users via nonces, capability checks, and role-based access control (RBAC). This plugin's misconfiguration allows direct access to restricted endpoints or admin functionality by bypassing WordPress's standard authorization mechanisms. The issue affects all versions from initial release through 1.1.6, suggesting a fundamental design flaw in how the plugin validates user permissions across its API and internal function calls.
Affected Products
Walker for Elementor plugin by merkulove affects all versions from the initial release through and including version 1.1.6. The plugin is distributed via the WordPress plugin repository and is used to extend Elementor page builder with custom walker functionality. The vulnerability applies to any WordPress installation running the affected plugin versions regardless of site configuration or Elementor version.
Remediation
Update Walker for Elementor to a patched version released after 1.1.6. Users should navigate to WordPress Dashboard > Plugins > Installed Plugins, locate 'Walker for Elementor', and click 'Update' if available. If no update is displayed, check the Patchstack vulnerability database (https://patchstack.com/database/Wordpress/Plugin/walker-elementor/vulnerability/wordpress-walker-for-elementor-plugin-1-1-6-broken-access-control-vulnerability) for confirmation of patch release and exact version number. As a temporary measure, restrict plugin access via WordPress user role management or deactivate the plugin until a patched version is confirmed available.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today