CVE-2025-66151 identifies a missing authorization vulnerability (CWE-862) in the merkulove Countdowner plugin for Elementor, a WordPress plugin used to add countdown timers to websites. The vulnerability exists due to improperly configured access control mechanisms, which fail to adequately verify whether a user has the necessary permissions before performing certain actions. This flaw affects all versions up to 1.0.4. The CVSS 3.1 base score is 5.4, indicating a medium severity level. The vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) shows that the attack can be performed remotely over the network with low attack complexity, requires privileges (likely a low-level authenticated user), and does not require user interaction. The impact affects integrity and availability but not confidentiality, meaning attackers could potentially alter or disrupt plugin functionality or website components but not access sensitive data. No patches or exploit code are currently published, and no known active exploitation has been reported. The vulnerability could be leveraged by malicious insiders or compromised accounts to escalate their capabilities within a WordPress site using this plugin, potentially leading to defacement, denial of service, or other disruptions.

For European organizations, this vulnerability poses a moderate risk primarily to websites using WordPress with the merkulove Countdowner plugin integrated into Elementor. The impact includes unauthorized modification or disruption of countdown timers or related website features, which could degrade user experience, damage brand reputation, or cause operational interruptions. While the vulnerability does not expose confidential data, the integrity and availability impacts could be leveraged in targeted attacks against marketing campaigns, event announcements, or time-sensitive promotions. Organizations in sectors relying heavily on web presence, such as e-commerce, media, and event management, may face increased risk. The requirement for some level of user privileges limits exploitation to insiders or compromised accounts, but given the widespread use of WordPress and Elementor in Europe, the attack surface is significant. The absence of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent future exploitation.

1. Monitor for and apply official patches or updates from merkulove as soon as they become available to address the missing authorization issue. 2. In the interim, restrict plugin usage to trusted administrators and limit the number of users with privileges that could exploit this vulnerability. 3. Review and tighten WordPress user roles and permissions, ensuring that only necessary users have access to modify or interact with the Countdowner plugin features. 4. Implement web application firewalls (WAFs) with rules to detect and block suspicious requests targeting the plugin endpoints. 5. Conduct regular security audits and penetration tests focusing on WordPress plugins and access control configurations. 6. Educate site administrators about the risks of privilege escalation and encourage strong authentication practices to reduce the likelihood of account compromise. 7. Consider temporarily disabling or removing the Countdowner plugin if patching is not immediately feasible and the plugin is not critical to operations.