CVE-2025-66152 is a vulnerability identified in the merkulove Criptopayer plugin for Elementor, a WordPress plugin designed to facilitate cryptocurrency payments. The issue stems from missing authorization controls (CWE-862), meaning the plugin fails to properly verify whether a user has the necessary permissions before allowing certain actions. This incorrect access control can be exploited by users with low privileges (PR:L) over the network (AV:N) without requiring user interaction (UI:N). The vulnerability impacts the integrity and availability of the system, as unauthorized users could manipulate payment processing or disrupt service availability. The CVSS v3.1 base score is 5.4, reflecting a medium severity level. The scope is unchanged (S:U), indicating the vulnerability affects only the vulnerable component. No patches have been released yet, and there are no known exploits in the wild. The vulnerability affects all versions up to 1.0.1, though exact affected versions are not fully enumerated. Given the plugin's role in handling payment transactions, exploitation could lead to unauthorized transaction modifications or denial of service conditions. The vulnerability was reserved in late 2025 and published at the end of 2025, indicating it is a recent discovery.

For European organizations, especially those operating e-commerce platforms or websites accepting cryptocurrency payments via WordPress, this vulnerability poses a risk to transaction integrity and service availability. Unauthorized users could manipulate payment data, potentially causing financial discrepancies, loss of customer trust, or service outages. This could also lead to regulatory compliance issues under GDPR if customer data integrity is compromised. The medium severity score suggests moderate risk, but the financial nature of the plugin elevates the potential business impact. Organizations relying on this plugin may face operational disruptions or reputational damage if exploited. The lack of a patch increases exposure time, making proactive mitigation critical. The impact is more pronounced in sectors with high cryptocurrency transaction volumes or where Elementor and merkulove plugins are widely deployed.

Until an official patch is released, organizations should implement strict access control policies limiting plugin management to trusted administrators only. Review and harden WordPress user roles and permissions to ensure no unnecessary privileges are granted. Employ web application firewalls (WAFs) to detect and block suspicious requests targeting the plugin endpoints. Monitor logs for unusual activity related to Criptopayer plugin usage, such as unauthorized API calls or configuration changes. Consider temporarily disabling the plugin if feasible or replacing it with alternative payment solutions with verified security. Stay informed on vendor updates and apply patches immediately upon release. Conduct regular security audits focusing on plugin configurations and access controls. Additionally, educate site administrators about the risks of privilege escalation and the importance of minimal privilege principles.