CVE-2025-66158 is a Missing Authorization vulnerability classified under CWE-862 found in the merkulove Gmaper plugin for Elementor, a WordPress plugin used to integrate Google Maps functionality into websites. The vulnerability arises from incorrectly configured access control security levels, allowing users with limited privileges (PR:L - privileges required) to perform actions that should be restricted. The vulnerability affects all versions up to 1.0.9, though the exact range is unspecified ('n/a' to 1.0.9). The CVSS v3.1 score is 5.4 (medium), with an attack vector of network (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and low availability impact (A:L). This means an attacker with some level of authenticated access can exploit the flaw remotely without user interaction to alter data or disrupt service availability. The vulnerability does not expose confidential information but can undermine the integrity of the plugin’s functionality and availability of map features on affected websites. No known exploits are currently reported in the wild, and no patches have been released at the time of publication. The issue was reserved in November 2025 and published at the end of December 2025. The vulnerability is particularly relevant for organizations using WordPress sites with Elementor and the Gmaper plugin, as it could allow malicious insiders or compromised accounts to escalate their privileges or cause service disruptions.

For European organizations, this vulnerability poses a moderate risk primarily to the integrity and availability of web services that rely on the Gmaper plugin for displaying maps. Organizations in sectors such as tourism, real estate, logistics, and local government that embed maps on their websites may experience unauthorized modifications or temporary outages of map features, potentially degrading user experience and trust. While confidentiality is not directly impacted, the disruption or manipulation of map data could indirectly affect business operations and customer interactions. Since exploitation requires some level of privileges, the threat is more significant in environments where user privilege management is lax or where insider threats exist. The lack of patches increases exposure time, and organizations using outdated versions of the plugin are at higher risk. Given the widespread use of WordPress and Elementor in Europe, especially in small and medium enterprises, the vulnerability could have a broad impact if exploited at scale.

1. Immediately audit user roles and permissions within WordPress to ensure that only trusted users have privileges that could exploit this vulnerability. 2. Restrict access to the Gmaper plugin’s administrative functions to the minimum necessary users. 3. Monitor logs for unusual activity related to map configuration or plugin settings changes. 4. Disable or remove the Gmaper plugin if it is not essential to reduce the attack surface. 5. Implement web application firewalls (WAF) with rules to detect and block suspicious requests targeting the plugin endpoints. 6. Stay alert for official patches or updates from merkulove and apply them promptly once available. 7. Consider deploying plugin vulnerability scanners that can detect outdated or vulnerable versions of Gmaper. 8. Educate site administrators about the risks of privilege escalation and the importance of strong access controls. 9. Use multi-factor authentication (MFA) for all WordPress admin accounts to reduce the risk of compromised credentials being used to exploit this vulnerability.