CVE-2025-66166 identifies a missing authorization vulnerability in the merkulove Lottier for Elementor WordPress plugin, specifically affecting versions up to and including 1.0.9. The vulnerability arises from incorrectly configured access control mechanisms that fail to properly verify user privileges before allowing certain actions. This flaw enables attackers with low-level privileges (PR:L) to perform unauthorized operations remotely (AV:N) without requiring user interaction (UI:N). The impact primarily affects confidentiality and integrity, potentially allowing unauthorized disclosure or modification of data managed by the plugin, but does not impact availability. The vulnerability does not require elevated privileges beyond low-level access, making exploitation feasible in environments where user accounts with limited rights exist. No known exploits have been reported in the wild as of the publication date. The plugin is commonly used in WordPress sites to integrate Lottie animations via Elementor page builder, which is popular among European businesses for website enhancement. The lack of patch links suggests that a fix may be pending or recently released, emphasizing the need for vigilance. The CVSS v3.1 base score of 5.4 reflects a medium severity, balancing ease of exploitation with moderate impact. The vulnerability underscores the importance of robust access control validation in WordPress plugins to prevent privilege escalation or unauthorized data access.

For European organizations, this vulnerability could lead to unauthorized access or modification of content or configuration within websites using the merkulove Lottier for Elementor plugin. This may result in leakage of sensitive information or tampering with site elements, potentially damaging brand reputation and customer trust. E-commerce sites or service providers relying on Elementor for user-facing content could face integrity issues, affecting user experience and transactional data. Although the vulnerability does not directly impact availability, indirect effects such as defacement or data manipulation could disrupt business operations. Given the widespread use of WordPress and Elementor in Europe, especially among SMEs and digital agencies, the risk is non-trivial. Organizations with multi-user environments where low-privilege accounts exist are particularly at risk. The absence of known exploits reduces immediate threat but does not eliminate the risk of future attacks. Compliance with GDPR may also be impacted if personal data confidentiality is compromised.

Organizations should immediately inventory their WordPress installations to identify the presence of the merkulove Lottier for Elementor plugin and verify the version in use. Until an official patch is released, restrict access to the plugin’s functionalities by limiting user roles and permissions, ensuring only trusted users have access. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin endpoints. Monitor logs for unusual access patterns or unauthorized attempts to invoke plugin features. Once a vendor patch is available, apply it promptly and test in a staging environment before production deployment. Additionally, implement the principle of least privilege for all WordPress user accounts and regularly audit user permissions. Consider disabling or removing unused plugins to reduce attack surface. Educate site administrators about the risks of installing plugins from unverified sources and the importance of timely updates. Finally, maintain regular backups to enable recovery in case of compromise.