CVE-2025-66160 identifies a missing authorization vulnerability (CWE-862) in the 'Select Graphist for Elementor' WordPress plugin developed by merkulove. This vulnerability arises from incorrectly configured access control mechanisms that fail to properly verify whether a user has the necessary permissions before allowing certain actions within the plugin. Affected versions include all releases up to 1.2.10. The vulnerability allows an attacker with some authenticated privileges (PR:L) to bypass authorization checks and perform actions that should be restricted, potentially leading to unauthorized access or modification of plugin-related data or settings. The attack vector is network-based (AV:N), requiring no user interaction (UI:N), and the scope remains unchanged (S:U), meaning the impact is confined to the vulnerable component without affecting other system components. The CVSS v3.1 base score is 5.4, indicating a medium severity level, with impacts primarily on confidentiality and integrity but no impact on availability. No public exploits or patches are currently available, and the vulnerability was reserved and published in late 2025. This issue is significant for organizations relying on this plugin for website content management and graphical features, as unauthorized changes could lead to data leakage or integrity violations within the website environment.

For European organizations, the vulnerability poses a moderate risk primarily to the confidentiality and integrity of website content managed via the affected plugin. Attackers with limited authenticated access could exploit the missing authorization to alter graphical content, potentially injecting misleading or malicious information, or accessing sensitive configuration data. While availability is not impacted, the integrity compromise could damage brand reputation and user trust, especially for e-commerce, media, and public sector websites. Organizations with extensive WordPress deployments using this plugin may face increased risk of targeted attacks, particularly if user roles are not tightly controlled. The lack of known exploits reduces immediate risk, but the absence of patches necessitates proactive risk management. The vulnerability could also be leveraged as a foothold for further attacks if combined with other weaknesses in the web infrastructure.

Until an official patch is released, European organizations should implement strict role-based access controls within WordPress to limit plugin usage to trusted administrators only. Review and audit user permissions regularly to ensure no unnecessary privileges are granted. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin’s endpoints. Monitor logs for unusual activity related to the plugin, such as unexpected configuration changes or access attempts. Consider temporarily disabling or removing the plugin if it is not critical to operations. Stay informed through vendor advisories and security mailing lists to apply patches promptly once available. Additionally, conduct security awareness training for administrators managing WordPress environments to recognize potential exploitation attempts.