CVE-2025-66152 is a Missing Authorization vulnerability classified under CWE-862 affecting the merkulove Criptopayer plugin for Elementor, a WordPress plugin used for cryptocurrency payment integration. The vulnerability arises from incorrectly configured access control security levels, allowing users with some privileges (likely authenticated users with limited rights) to perform unauthorized actions that they should not be permitted to execute. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) indicates that the vulnerability is remotely exploitable over the network without user interaction, requires low attack complexity, and privileges at the level of a logged-in user. The impact affects the integrity and availability of the system but does not compromise confidentiality. Since the plugin is integrated into WordPress sites using Elementor, exploitation could lead to unauthorized changes in payment processing or disruption of services. No patches or known exploits are currently available, but the vulnerability's presence necessitates immediate attention to access control configurations within the plugin and the hosting environment. The issue affects all versions up to 1.0.1, with no specific version details provided beyond that. The vulnerability was reserved in late 2025 and published shortly thereafter, indicating recent discovery.

For European organizations, especially those operating e-commerce platforms or websites accepting cryptocurrency payments via WordPress Elementor with the Criptopayer plugin, this vulnerability poses a risk of unauthorized modification or disruption of payment processes. This can lead to financial losses, reputational damage, and service downtime. The integrity impact could allow attackers to manipulate payment data or transaction flows, while availability impact could result in denial of payment services. Since the vulnerability requires some level of authenticated access, insider threats or compromised user accounts increase risk. Organizations relying on this plugin without strict access controls or monitoring may face exploitation attempts. The lack of confidentiality impact reduces risk of data leakage but does not diminish the threat to operational continuity and trustworthiness of payment systems.

1. Immediately audit user roles and permissions within WordPress and the Criptopayer plugin to ensure least privilege principles are enforced. 2. Restrict plugin access and administrative functions to trusted, verified users only. 3. Monitor logs for unusual activities related to payment processing or plugin usage. 4. Disable or remove the Criptopayer plugin if it is not essential or if a secure alternative exists. 5. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the plugin endpoints. 6. Stay informed on vendor updates and apply patches promptly once available. 7. Conduct penetration testing focused on access control mechanisms of the plugin. 8. Educate administrators on the risks of privilege escalation and enforce strong authentication methods to reduce compromised account risks.