CVE-2025-66151 identifies a missing authorization vulnerability (CWE-862) in the merkulove Countdowner plugin for Elementor, a WordPress plugin used to display countdown timers. The vulnerability exists due to improperly configured access control mechanisms, which fail to restrict certain actions to authorized users only. This allows users with limited privileges (PR:L) to perform operations that should be restricted, potentially leading to unauthorized modification or disruption of the plugin's functionality. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network exploitability (AV:N), low attack complexity (AC:L), and no user interaction (UI:N). The impact affects integrity and availability but not confidentiality, meaning attackers can alter or disrupt plugin behavior but not access sensitive data. No patches or exploits are currently known, but the vulnerability is publicly disclosed and should be addressed promptly. The plugin versions up to 1.0.4 are affected, though the exact range is unspecified. This issue is particularly relevant for WordPress sites using Elementor with merkulove Countdowner, which are common in marketing and event-related websites.

For European organizations, this vulnerability could lead to unauthorized changes in website content or functionality where the Countdowner plugin is used, potentially disrupting marketing campaigns, event countdowns, or user experience. Integrity of displayed information could be compromised, leading to misinformation or loss of trust. Availability impacts could cause countdown timers to malfunction or disappear, affecting business operations reliant on timely event notifications. While confidentiality is not directly impacted, the disruption or manipulation of web content can have reputational and operational consequences. Organizations with public-facing websites using this plugin are at risk, especially those in sectors relying heavily on event-driven marketing such as retail, entertainment, and hospitality. The medium severity score suggests moderate risk but warrants timely mitigation to prevent exploitation, especially given the ease of network-based exploitation and no required user interaction.

1. Monitor merkulove and Elementor plugin updates closely and apply patches immediately once available to address this vulnerability. 2. Until patches are released, restrict plugin access to trusted administrators only and review user roles and permissions to minimize exposure. 3. Implement web application firewalls (WAF) with custom rules to detect and block suspicious requests targeting the plugin’s endpoints. 4. Conduct regular audits of WordPress user accounts and plugin configurations to ensure no unauthorized privilege escalation is possible. 5. Employ security plugins that can detect unauthorized changes to plugin files or configurations. 6. Educate site administrators on the risks of granting excessive privileges and enforce the principle of least privilege. 7. Consider temporarily disabling the Countdowner plugin if it is not critical to operations until a fix is available. 8. Monitor website logs for unusual activity related to the plugin’s functionality to detect early exploitation attempts.