CVE-2025-66137 is a missing authorization vulnerability identified in the merkulove Searcher for Elementor plugin, affecting versions up to and including 1.0.3. This vulnerability arises due to incorrectly configured access control mechanisms within the plugin, which is designed to enhance search functionality in Elementor-based WordPress websites. The flaw allows attackers with low privileges (PR:L) to bypass authorization checks and perform unauthorized actions remotely (AV:N) without requiring user interaction (UI:N). The vulnerability impacts the confidentiality, integrity, and availability of the affected systems, as indicated by the CVSS vector (C:H/I:H/A:H). This means attackers could potentially access sensitive data, modify content, or disrupt website functionality. The vulnerability is exploitable over the network with low attack complexity (AC:L), increasing the risk of exploitation. Although no known exploits have been reported in the wild yet, the high CVSS score (8.8) and the nature of the vulnerability suggest that exploitation could lead to significant damage. The plugin is commonly used in WordPress environments that utilize Elementor for page building, making websites that rely on this plugin vulnerable until patched. The vulnerability was reserved in late 2025 and published in early 2026, indicating recent discovery and disclosure. No official patches or mitigations have been linked yet, emphasizing the need for vigilance and proactive defense measures.

For European organizations, this vulnerability poses a significant risk, especially for those relying on WordPress websites with the merkulove Searcher for Elementor plugin. The potential impacts include unauthorized data disclosure, website defacement or content manipulation, and denial of service conditions. Organizations handling sensitive customer or business data through their websites could suffer confidentiality breaches, leading to regulatory non-compliance under GDPR and reputational damage. The integrity of web content and availability of services could be compromised, affecting business operations and customer trust. Since the vulnerability requires only low privileges and no user interaction, it could be exploited by insiders or external attackers who gain minimal access, amplifying the threat. The lack of known exploits currently provides a window for mitigation, but the high severity score indicates that once exploited, the consequences could be severe. European sectors such as e-commerce, finance, healthcare, and government services that use Elementor-based sites are particularly at risk.

1. Monitor official merkulove and Elementor channels for security patches addressing CVE-2025-66137 and apply them immediately upon release. 2. Until patches are available, restrict access to the Searcher for Elementor plugin functionalities by limiting user roles and permissions to trusted administrators only. 3. Implement web application firewalls (WAF) with custom rules to detect and block suspicious requests targeting the plugin endpoints. 4. Conduct thorough audits of user privileges on WordPress sites to ensure no unnecessary low-privilege accounts exist that could exploit this vulnerability. 5. Enable detailed logging and monitor for unusual access patterns or unauthorized attempts to access plugin features. 6. Consider temporarily disabling or removing the Searcher for Elementor plugin if it is not critical to operations. 7. Educate website administrators about the risks and signs of exploitation related to this vulnerability. 8. Regularly back up website data and configurations to enable rapid recovery in case of compromise.