CVE-2025-66155 identifies a Missing Authorization vulnerability (CWE-862) in the merkulove Questionar plugin for Elementor, a WordPress plugin used to create questionnaires and forms. This vulnerability arises from incorrectly configured access control mechanisms, allowing users with certain privileges to perform unauthorized actions that should be restricted. The affected versions include all up to 1.1.7, with no specific version range provided. The vulnerability is exploitable remotely (AV:N) with low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N). The scope remains unchanged (S:U), meaning the impact is confined to the vulnerable component. The CVSS 3.1 base score is 5.4, indicating a medium severity level. The impact primarily affects integrity and availability, as unauthorized actions could modify or disrupt questionnaire data or plugin functionality. No known exploits have been reported in the wild, and no patches are currently available. The vulnerability was reserved in November 2025 and published at the end of the year. The plugin’s role in managing user input and data collection makes it a target for attackers seeking to manipulate form data or disrupt service availability. The lack of proper authorization checks suggests a design or implementation flaw in access control logic within the plugin’s codebase.

For European organizations, this vulnerability poses a risk to the integrity and availability of data collected through the Questionar plugin, potentially leading to unauthorized data modifications or denial of service conditions. Organizations relying on this plugin for customer feedback, surveys, or internal data collection could face disruptions or data tampering, impacting business operations and decision-making processes. Given the plugin’s integration with WordPress, a widely used CMS in Europe, the attack surface is significant. Compromise could also lead to reputational damage, especially for organizations subject to GDPR, as unauthorized data manipulation might result in non-compliance or data integrity issues. The requirement for some level of privileges means insider threats or compromised accounts could exploit this vulnerability. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks once exploit code becomes available.

European organizations should immediately audit and restrict user privileges related to the Questionar plugin, ensuring only trusted users have the necessary permissions. Implement strict role-based access controls within WordPress and monitor logs for unusual activities involving the plugin. Disable or remove the plugin if it is not essential, or isolate it in environments with limited exposure. Prepare for patch deployment by subscribing to vendor or security mailing lists to receive updates promptly. Conduct code reviews or penetration testing focused on access control mechanisms in the plugin. Employ web application firewalls (WAFs) with custom rules to detect and block unauthorized access attempts targeting the plugin endpoints. Additionally, implement multi-factor authentication (MFA) for all accounts with elevated privileges to reduce the risk of credential compromise. Regularly back up WordPress sites and plugin data to enable rapid recovery in case of exploitation.