CVE-2025-66159
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in merkulove Walker for Elementor walker-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Walker for Elementor: from n/a through <= 1.1.6.
AnalysisAI
Missing authorization in Walker for Elementor plugin (versions through 1.1.6) allows unauthenticated attackers to exploit improperly configured access controls to bypass intended security restrictions and access unauthorized functionality. The vulnerability stems from inadequate permission validation in the plugin's WordPress implementation, enabling attackers to interact with protected features without proper authentication or role-based authorization checks.
Technical ContextAI
Walker for Elementor is a WordPress plugin that extends Elementor page builder functionality with custom walker elements. The vulnerability exploits CWE-862 (Missing Authorization), indicating that the plugin fails to implement proper permission verification before executing sensitive operations. WordPress plugins typically authenticate users via nonces, capability checks, and role-based access control (RBAC). This plugin's misconfiguration allows direct access to restricted endpoints or admin functionality by bypassing WordPress's standard authorization mechanisms. The issue affects all versions from initial release through 1.1.6, suggesting a fundamental design flaw in how the plugin validates user permissions across its API and internal function calls.
Affected ProductsAI
Walker for Elementor plugin by merkulove affects all versions from the initial release through and including version 1.1.6. The plugin is distributed via the WordPress plugin repository and is used to extend Elementor page builder with custom walker functionality. The vulnerability applies to any WordPress installation running the affected plugin versions regardless of site configuration or Elementor version.
RemediationAI
Update Walker for Elementor to a patched version released after 1.1.6. Users should navigate to WordPress Dashboard > Plugins > Installed Plugins, locate 'Walker for Elementor', and click 'Update' if available. If no update is displayed, check the Patchstack vulnerability database (https://patchstack.com/database/Wordpress/Plugin/walker-elementor/vulnerability/wordpress-walker-for-elementor-plugin-1-1-6-broken-access-control-vulnerability) for confirmation of patch release and exact version number. As a temporary measure, restrict plugin access via WordPress user role management or deactivate the plugin until a patched version is confirmed available.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today