CVE-2025-66145 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the merkulove Worker plugin for WPBakery, a popular WordPress page builder extension. The issue arises due to improperly configured access control mechanisms, allowing users with limited privileges (PR:L) to perform unauthorized actions that can compromise the integrity and availability of the affected system. The vulnerability does not impact confidentiality but can lead to unauthorized modifications or disruptions. It is remotely exploitable over the network (AV:N) with low attack complexity (AC:L) and does not require user interaction (UI:N). The scope remains unchanged (S:U), meaning the exploit affects only the vulnerable component without extending to other system parts. The CVSS v3.1 base score is 5.4, indicating a medium severity level. No patches or known exploits are currently available, but the vulnerability affects all versions up to 1.1.1 of the plugin. The flaw likely stems from missing or incorrect authorization checks in the plugin’s worker processes, which handle backend tasks for WPBakery. Attackers with some level of authenticated access could exploit this to perform unauthorized actions, potentially disrupting site functionality or modifying content. Given WPBakery’s widespread use in WordPress sites, this vulnerability could affect a broad range of websites, especially those using the merkulove Worker plugin. The absence of user interaction requirements and low complexity make it a notable risk for environments where users have limited privileges but can access the plugin’s features.

For European organizations, this vulnerability poses a risk primarily to the integrity and availability of WordPress-based websites using the merkulove Worker plugin for WPBakery. Attackers with limited privileges could exploit the missing authorization to alter site content, disrupt services, or interfere with backend processes, potentially leading to website defacement, downtime, or loss of service availability. This could impact e-commerce platforms, corporate websites, and public-facing portals, damaging reputation and causing operational disruptions. Since the vulnerability does not affect confidentiality, direct data breaches are less likely, but indirect effects such as service outages or unauthorized content changes could have significant business consequences. Organizations relying heavily on WordPress for critical services should be particularly vigilant. The lack of known exploits in the wild provides a window for proactive mitigation, but the medium severity score indicates that exploitation could still cause meaningful harm if left unaddressed.

1. Immediately audit user privileges and restrict access to the merkulove Worker plugin features only to trusted administrators or necessary roles. 2. Implement strict role-based access controls (RBAC) within WordPress to limit who can interact with the plugin’s backend processes. 3. Monitor logs and site activity for unusual or unauthorized actions related to the plugin, focusing on integrity and availability anomalies. 4. Disable or remove the merkulove Worker plugin if it is not essential to reduce the attack surface. 5. Stay informed on vendor advisories and apply security patches promptly once they become available. 6. Consider deploying a Web Application Firewall (WAF) with custom rules to detect and block suspicious requests targeting the plugin’s endpoints. 7. Conduct regular security assessments and penetration tests focusing on WordPress plugins and their access controls. 8. Educate site administrators about the risks of privilege misuse and the importance of secure plugin management.