CVE-2025-66160

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 17:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in merkulove Select Graphist for Elementor Graphist for Elementor graphist-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Select Graphist for Elementor Graphist for Elementor: from n/a through <= 1.2.10.

Analysis

Missing authorization in Select Graphist for Elementor WordPress plugin versions up to 1.2.10 allows unauthenticated attackers to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from broken access control mechanisms that fail to properly validate user permissions before granting access to sensitive functionality. With an EPSS score of 0.01% and no confirmed active exploitation, this represents a low-probability attack despite the authorization flaw.

Technical Context

The vulnerability is rooted in CWE-862 (Missing Authorization), a critical access control weakness where the application does not perform proper authorization checks before allowing users to access restricted resources or perform privileged operations. This affects Select Graphist for Elementor (CPE: wp:select-graphist-for-elementor-plugin), a WordPress plugin that integrates graphing/charting capabilities with the Elementor page builder. The plugin fails to enforce role-based or capability-based access controls on certain endpoints or functions, allowing attackers to bypass intended permission boundaries. The broken access control likely affects administrative functions, API endpoints, or plugin settings that should be restricted to authenticated users with appropriate roles.

Affected Products

Select Graphist for Elementor (Graphist for Elementor) WordPress plugin versions from release through 1.2.10 are affected. The plugin is available on the WordPress plugin repository at patchstack.com/database/Wordpress/Plugin/graphist-elementor/. Exact CPE representation is wp:select-graphist-for-elementor-plugin. The vulnerability impacts all WordPress installations using this plugin at or below version 1.2.10.

Remediation

Upgrade Select Graphist for Elementor to version 1.2.11 or later immediately. Consult the vendor security advisory at https://patchstack.com/database/Wordpress/Plugin/graphist-elementor/vulnerability/wordpress-select-graphist-for-elementor-graphist-for-elementor-plugin-1-2-10-broken-access-control-vulnerability?_s_id=cve for patch release details and verification. If immediate upgrade is not possible, temporarily disable the plugin until a patch can be applied, as the authorization flaw may allow unauthorized administrative or sensitive actions depending on which plugin functions lack proper access controls.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-66160 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy