CVE-2025-66165 identifies a missing authorization vulnerability in the merkulove Lottier plugin for WPBakery, a WordPress page builder plugin widely used for creating animated content. The vulnerability arises from incorrectly configured access control security levels, which allow unauthorized users to perform actions that should be restricted. Specifically, the plugin versions up to and including 1.1.7 do not properly enforce authorization checks on certain functions or endpoints, enabling attackers to bypass security controls. This can lead to unauthorized content manipulation, privilege escalation, or other malicious activities within the affected WordPress environment. The vulnerability was reserved on November 21, 2025, and published on December 16, 2025, but no CVSS score or public exploit is currently available. The lack of a patch link indicates that a fix may still be pending or in development. The vulnerability affects all installations using the vulnerable plugin versions, especially those integrated with WPBakery, which is popular in many European websites. The attack vector likely involves unauthenticated or low-privilege users exploiting the missing authorization to gain elevated access or perform unauthorized actions. Since WordPress powers a significant portion of European websites, and WPBakery is a common page builder, the impact could be widespread if exploited. However, exploitation requires the presence of the vulnerable plugin and its specific versions. The vulnerability highlights the importance of proper access control implementation in WordPress plugins to prevent unauthorized access and maintain site integrity.

For European organizations, the impact of CVE-2025-66165 can be significant, especially for those relying on WordPress with the WPBakery page builder and the merkulove Lottier plugin. Unauthorized access due to missing authorization can lead to content defacement, insertion of malicious code, or privilege escalation within the website environment. This can compromise the confidentiality and integrity of the website content and potentially affect availability if attackers disrupt site functionality. Organizations in sectors such as e-commerce, media, education, and government that use these tools for their web presence may face reputational damage, data breaches, or service interruptions. Additionally, attackers could leverage this vulnerability as a foothold for further network intrusion or lateral movement. The absence of known exploits currently limits immediate risk, but the vulnerability's presence in popular plugins means that automated scanning and exploitation attempts could emerge rapidly once public details circulate. European entities with strict data protection regulations (e.g., GDPR) must be particularly vigilant to avoid compliance violations resulting from unauthorized data exposure or website compromise.

1. Monitor the merkulove vendor announcements and Patchstack advisories closely for the release of an official security patch addressing CVE-2025-66165 and apply it immediately upon availability. 2. In the interim, restrict access to WordPress administrative and plugin management interfaces to trusted IP addresses or VPNs to reduce exposure. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the Lottier plugin endpoints or unusual access patterns. 4. Conduct an audit of user roles and permissions within WordPress to ensure the principle of least privilege is enforced, minimizing the risk of privilege escalation. 5. Regularly back up website data and configurations to enable rapid recovery in case of compromise. 6. Use security plugins that provide real-time monitoring and alerting for unauthorized changes or access attempts. 7. Educate site administrators about the risks of installing outdated or unverified plugins and encourage timely updates. 8. If feasible, temporarily disable or remove the vulnerable plugin until a patch is available, especially on high-risk or critical websites. 9. Perform penetration testing or vulnerability scanning focused on access control weaknesses to identify other potential authorization issues. 10. Maintain an incident response plan tailored to web application compromises to ensure rapid containment and remediation if exploitation occurs.