CVE-2025-66155 identifies a Missing Authorization vulnerability classified under CWE-862 in the merkulove Questionar plugin for Elementor, a WordPress plugin used to create interactive questionnaires. The vulnerability arises from incorrectly configured access control mechanisms, allowing users with limited privileges (PR:L) to perform unauthorized actions that should be restricted. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) indicates that the attack can be conducted remotely over the network without user interaction, requires low attack complexity, and only limited privileges, but does not compromise confidentiality. Instead, it impacts integrity and availability, meaning attackers could alter or disrupt questionnaire data or functionality. The plugin versions affected include all up to 1.1.7, though the exact initial vulnerable version is unspecified. No patches or known exploits have been reported yet, but the vulnerability's presence in a widely used WordPress plugin component poses a risk to websites relying on it for user engagement and data collection. The issue was reserved in late 2025 and published at the end of 2025, indicating a recent discovery. The lack of a patch link suggests that remediation is pending or in development. This vulnerability could be exploited to manipulate questionnaire content, disrupt service availability, or perform unauthorized actions within the plugin's scope, potentially impacting website reliability and user trust.

For European organizations, the impact of CVE-2025-66155 can be significant, particularly for those relying on WordPress sites with the Elementor page builder and the merkulove Questionar plugin. Unauthorized modification or disruption of questionnaire data can lead to misinformation, loss of user trust, and potential operational disruptions if these questionnaires are used for customer feedback, lead generation, or internal surveys. The integrity and availability impacts could affect business processes dependent on accurate data collection. Additionally, compromised sites might be leveraged for further attacks or reputational damage. Since the vulnerability requires only limited privileges, attackers who gain low-level access (e.g., through compromised user accounts) can escalate their impact without needing full administrative rights. This increases the risk profile for organizations with multiple user roles and less stringent privilege management. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once patches are available or if the vulnerability becomes public knowledge.

Organizations should monitor the merkulove Questionar plugin for official security updates and apply patches immediately upon release. Until a patch is available, restrict plugin access to trusted users only and review user roles and permissions to minimize the number of accounts with privileges that could exploit this vulnerability. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin endpoints. Conduct regular audits of WordPress user accounts and plugin configurations to ensure no unauthorized changes occur. Additionally, consider isolating critical questionnaire data and backing it up frequently to enable recovery in case of integrity or availability compromise. Employ security monitoring tools to detect anomalous behavior related to the plugin and maintain incident response readiness. Finally, educate site administrators about the risks of privilege escalation and the importance of strong credential management.