CVE-2025-66145 identifies a missing authorization vulnerability (CWE-862) in the merkulove Worker for WPBakery plugin, affecting versions up to 1.1.1. This vulnerability arises from incorrectly configured access control mechanisms, allowing users with limited privileges (PR:L) to perform unauthorized actions that can modify data integrity or disrupt availability without requiring user interaction (UI:N). The attack vector is network-based (AV:N), meaning exploitation can occur remotely, typically through web requests to the WordPress site hosting the plugin. The vulnerability does not impact confidentiality but can lead to integrity and availability issues, such as unauthorized content changes or denial of service conditions. No patches or fixes have been published yet, and no active exploits are reported in the wild, indicating a window for proactive mitigation. The plugin is commonly used to extend WPBakery’s functionality, a popular WordPress page builder, thus potentially affecting a wide range of websites that rely on this ecosystem. The vulnerability’s CVSS 3.1 score of 5.4 reflects a medium severity level, balancing the ease of exploitation with the limited scope of impact and the requirement for some privileges. The root cause is the lack of proper authorization checks on sensitive operations within the plugin, allowing privilege escalation or unauthorized actions by authenticated users with low-level access.

For European organizations, this vulnerability poses a moderate risk primarily to websites using WordPress with the merkulove Worker for WPBakery plugin. Potential impacts include unauthorized modification of website content, disruption of service availability, and possible defacement or injection of malicious content. This can damage brand reputation, reduce customer trust, and lead to compliance issues under regulations like GDPR if personal data integrity is compromised. E-commerce platforms and public-facing corporate websites are particularly vulnerable, as attackers could manipulate product information or disrupt sales operations. The requirement for low-level privileges means that insider threats or compromised user accounts could be leveraged to exploit this vulnerability. Although no known exploits exist currently, the public disclosure increases the risk of future attacks. The lack of patches means organizations must rely on compensating controls until updates are available. Given the widespread use of WPBakery in Europe, the threat could affect a significant number of sites, especially those not following strict access control policies.

Organizations should immediately audit and restrict access permissions for users interacting with the merkulove Worker for WPBakery plugin, ensuring only trusted administrators have the necessary privileges. Implement web application firewalls (WAF) with custom rules to detect and block suspicious requests targeting the plugin’s endpoints. Monitor logs for unusual activity indicative of unauthorized access attempts or privilege escalation. Disable or remove the plugin if it is not essential to reduce the attack surface. Keep WordPress core and all plugins up to date and subscribe to vendor security advisories for timely patch releases. Employ multi-factor authentication (MFA) for all administrative accounts to reduce the risk of compromised credentials. Conduct regular security assessments and penetration testing focusing on access control mechanisms. Prepare incident response plans to quickly address any exploitation attempts. Consider isolating critical web services behind VPNs or IP whitelisting where feasible to limit exposure.