CVE-2025-66158 identifies a missing authorization vulnerability (CWE-862) in the merkulove Gmaper for Elementor plugin, a WordPress plugin used to integrate Google Maps functionality into Elementor-built websites. The vulnerability arises from incorrectly configured access control security levels, allowing users with limited privileges (PR:L - privileges required) to perform actions beyond their authorization scope. The CVSS 3.1 base score is 5.4 (medium), reflecting that the attack vector is network-based (AV:N), requires low attack complexity (AC:L), and privileges (PR:L) but no user interaction (UI:N). The impact affects integrity and availability (I:L/A:L) but not confidentiality (C:N). This means an attacker with some authenticated access can manipulate or disrupt plugin functionality, potentially altering map data or causing service interruptions. The vulnerability affects all versions up to 1.0.9, with no patches currently available and no known exploits in the wild. The issue was reserved in November 2025 and published at the end of 2025. The plugin’s role in web content presentation makes it a target for attackers aiming to deface or disrupt websites, especially those relying on map-based services. The lack of authorization checks could allow privilege escalation within the plugin’s context, undermining site integrity and availability.

For European organizations, especially those relying on WordPress and Elementor for their web presence, this vulnerability could lead to unauthorized modifications of embedded maps or disruptions in map services, affecting customer experience and operational continuity. Integrity impacts could result in misleading or malicious map data being displayed, potentially damaging reputation or causing misinformation. Availability impacts could lead to denial of map services, impairing business functions that depend on location-based information. While confidentiality is not directly impacted, the disruption or manipulation of publicly visible content can have indirect consequences. Organizations in sectors such as tourism, real estate, logistics, and local services that heavily use map integrations are particularly at risk. The medium severity score indicates a moderate risk level, but the ease of exploitation by authenticated users means insider threats or compromised accounts could leverage this vulnerability effectively. The absence of known exploits currently provides a window for proactive mitigation.

1. Immediately audit user privileges and restrict access to the Gmaper for Elementor plugin to only trusted and necessary users to minimize the risk of exploitation by low-privilege accounts. 2. Implement strict role-based access controls (RBAC) within WordPress to ensure that only authorized administrators or editors can interact with the plugin’s sensitive functions. 3. Monitor logs and website activity for unusual changes or disruptions related to map content or plugin behavior, enabling early detection of exploitation attempts. 4. Isolate critical web infrastructure and consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin endpoints. 5. Stay informed about vendor updates and apply patches promptly once released, as no official patch is currently available. 6. Consider temporary disabling or replacing the plugin with alternative solutions if the risk is unacceptable and no immediate patch is available. 7. Conduct regular security assessments and penetration testing focusing on WordPress plugins and access control mechanisms to identify similar authorization weaknesses.