CVE-2025-66144 is a missing authorization vulnerability (CWE-862) found in the merkulove Worker for Elementor plugin, affecting versions up to 1.0.10. The vulnerability arises due to incorrectly configured access control security levels, allowing users with limited privileges (PR:L) to perform actions they should not be authorized to execute. The attack vector is network-based (AV:N), and no user interaction is required (UI:N), making it feasible for remote exploitation by authenticated users with some level of access. The vulnerability impacts the integrity and availability of the affected systems, as unauthorized modifications or disruptions can occur. The CVSS v3.1 base score is 5.4, indicating a medium severity level. Although no public exploits are currently known, the flaw represents a significant risk for websites relying on this plugin, especially given the widespread use of Elementor in WordPress environments. The lack of available patches at the time of publication necessitates immediate attention to access controls and monitoring. The vulnerability highlights the importance of proper authorization checks in plugin development to prevent privilege escalation and unauthorized actions.

For European organizations, this vulnerability could lead to unauthorized modifications of website content or disruption of services hosted on WordPress platforms using the merkulove Worker for Elementor plugin. This can damage organizational reputation, lead to loss of customer trust, and potentially cause downtime affecting business operations. Integrity impacts could include defacement or injection of malicious content, while availability impacts might manifest as denial of service or functionality loss. Organizations in sectors relying heavily on web presence, such as e-commerce, media, and public services, are particularly vulnerable. The medium severity score reflects a moderate but tangible risk, especially if attackers gain authenticated access through compromised credentials or insider threats. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability details are widely known.

Organizations should immediately audit and restrict access to the merkulove Worker for Elementor plugin, ensuring only trusted users have privileges that could be exploited. Implement strict role-based access controls and monitor user activities for anomalies. Since no patches are currently available, consider disabling or removing the plugin temporarily if feasible. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin's endpoints. Regularly update WordPress core, themes, and other plugins to reduce the attack surface. Additionally, conduct security assessments and penetration testing focused on authorization controls within the WordPress environment. Prepare to apply vendor patches promptly once released and maintain an incident response plan to address potential exploitation attempts.