CVE-2025-66160 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the merkulove Select Graphist for Elementor plugin, a WordPress plugin used for graphical content creation and management. The flaw exists due to incorrectly configured access control security levels, allowing users with limited privileges (PR:L) to perform actions beyond their authorization scope without requiring user interaction (UI:N). The vulnerability affects versions up to 1.2.10, with no specific version range detailed beyond 'n/a' to 1.2.10. The CVSS 3.1 base score is 5.4, indicating a medium severity level, with attack vector being network (AV:N), low attack complexity (AC:L), and no impact on availability (A:N). The confidentiality and integrity impacts are limited (C:L, I:L), meaning some unauthorized data disclosure or modification is possible but not complete compromise. The vulnerability does not require user interaction, which increases exploitation feasibility, but it does require some level of privileges, reducing the attack surface to authenticated users or insiders. No public exploits or patches are currently available, but the vulnerability is published and reserved as of late 2025. This vulnerability could be exploited by attackers to bypass access controls and manipulate or view restricted graphical content or settings within the plugin, potentially leading to data leakage or unauthorized content changes.

For European organizations, especially those relying on WordPress for content management and using the merkulove Select Graphist for Elementor plugin, this vulnerability poses a risk of unauthorized access and modification of graphical content or related data. This could lead to partial confidentiality breaches, such as exposure of sensitive graphical assets or configuration details, and integrity issues, including unauthorized changes to visual content that could affect brand reputation or user trust. Although availability is not impacted, the unauthorized modifications could disrupt business processes or marketing campaigns. Organizations in sectors like media, marketing, e-commerce, and digital agencies are particularly at risk. The requirement for some privileges means that insider threats or compromised accounts could be leveraged to exploit this vulnerability. Given the widespread use of WordPress across Europe, the impact could be significant if not mitigated, especially in countries with large digital economies and extensive WordPress adoption.

1. Monitor for and apply vendor patches immediately once available to address the missing authorization flaw. 2. In the interim, restrict plugin usage to trusted users only and review user roles and permissions to minimize privilege levels, ensuring no unnecessary elevated access is granted. 3. Implement additional access control mechanisms at the WordPress or server level, such as web application firewalls (WAFs) with custom rules to detect and block unauthorized attempts to access plugin functions. 4. Conduct regular audits of user activities and plugin configurations to detect anomalies or unauthorized changes. 5. Employ multi-factor authentication (MFA) for all users with access to WordPress admin areas to reduce the risk of account compromise. 6. Educate administrators and content managers about the risks of privilege escalation and the importance of strict access controls. 7. Consider isolating critical content management functions or using alternative plugins with stronger security postures if immediate patching is not feasible.