CVE-2025-66165 identifies a missing authorization vulnerability in the merkulove Lottier for WPBakery plugin, specifically versions up to and including 1.1.7. The vulnerability arises from incorrectly configured access control security levels, which allow users with low privileges (PR:L) to perform actions or access resources that should be restricted. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) indicates that the attack can be performed remotely over the network without user interaction, requires low complexity, and some privileges, but does not impact availability. The confidentiality and integrity impacts are limited but present, meaning attackers could potentially access or modify data they should not have access to. The plugin is a WordPress add-on used to integrate Lottier animations within WPBakery page builder environments, which are popular for building websites. The vulnerability does not have known exploits in the wild yet, and no patches are currently linked, suggesting that mitigation may require vendor updates or configuration changes. The issue was reserved in late November 2025 and published in mid-December 2025, indicating recent discovery. This vulnerability could be leveraged by attackers to escalate privileges or manipulate content within affected WordPress sites, potentially leading to data leakage or unauthorized content changes.

For European organizations, the impact of CVE-2025-66165 depends largely on their use of the merkulove Lottier for WPBakery plugin within WordPress environments. Organizations relying on this plugin for website content and animations may face unauthorized access or modification of data, potentially exposing sensitive information or damaging website integrity. While the vulnerability does not affect availability, unauthorized changes could harm brand reputation and user trust. Attackers with low privileges could exploit this vulnerability remotely, increasing risk especially for organizations with multiple users having limited access rights. This could facilitate further attacks or lateral movement within the network. Sectors such as e-commerce, media, and public services that heavily use WordPress and WPBakery may be particularly vulnerable. The lack of known exploits currently reduces immediate risk, but the medium severity rating suggests organizations should prioritize mitigation to prevent future exploitation. Compliance with GDPR and other data protection regulations may also be impacted if unauthorized data access occurs.

1. Monitor merkulove and WPBakery vendor channels closely for official patches addressing CVE-2025-66165 and apply updates promptly once available. 2. Until patches are released, restrict access to the Lottier for WPBakery plugin functionalities to only trusted and necessary users, minimizing the number of accounts with privileges that could exploit the vulnerability. 3. Implement strict role-based access controls (RBAC) within WordPress to ensure users have the minimum required permissions. 4. Conduct regular audits of user permissions and plugin configurations to detect and remediate misconfigurations. 5. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin endpoints. 6. Monitor logs for unusual access patterns or unauthorized attempts to access or modify plugin-related resources. 7. Educate site administrators and developers about the vulnerability and the importance of timely patching and secure configuration. 8. Consider isolating critical WordPress instances or using staging environments to test plugin updates before production deployment. 9. If feasible, temporarily disable or remove the Lottier for WPBakery plugin until a secure version is available to eliminate exposure.