CVE-2025-66166 identifies a missing authorization vulnerability in the merkulove Lottier for Elementor plugin, a WordPress add-on used to integrate Lottie animations into Elementor page builder environments. The vulnerability arises from incorrectly configured access control security levels, which fail to properly verify whether a user has the necessary permissions to perform certain actions within the plugin. This misconfiguration can allow an attacker to bypass authorization checks and execute unauthorized operations, potentially manipulating plugin functionality or accessing sensitive data. The affected versions include all releases up to and including version 1.0.9. Although no exploits have been observed in the wild, the vulnerability represents a significant risk because it compromises the integrity and confidentiality of the affected WordPress sites. The lack of a CVSS score indicates that the vulnerability is newly published and not yet fully assessed, but the nature of missing authorization typically implies a high risk. The vulnerability does not require authentication or user interaction, increasing its exploitability. The plugin is commonly used in WordPress environments, which are prevalent among European organizations for their websites and e-commerce platforms. The absence of vendor patches at the time of publication necessitates immediate attention to access control configurations and monitoring for suspicious activity.

For European organizations, this vulnerability could lead to unauthorized access to website components, manipulation of content, or exposure of sensitive information managed through the affected plugin. This can damage organizational reputation, lead to data breaches, and disrupt business operations, especially for companies relying heavily on WordPress for customer engagement and e-commerce. Given the plugin’s role in enhancing website visuals, attackers might also deface sites or inject malicious content, impacting availability and user trust. The ease of exploitation without authentication increases the risk of automated attacks or exploitation by low-skilled threat actors. Organizations in sectors such as retail, media, and services that use Elementor extensively are particularly vulnerable. Additionally, regulatory compliance risks arise if personal data is exposed, potentially triggering GDPR violations and associated penalties.

Organizations should immediately audit their WordPress installations to identify the presence of the merkulove Lottier for Elementor plugin and verify the version in use. Until an official patch is released, administrators should restrict access to WordPress admin interfaces and plugin management to trusted users only, employing strong authentication and role-based access controls. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin’s endpoints can reduce exploitation risk. Monitoring logs for unusual activity related to the plugin is critical for early detection. Organizations should subscribe to vendor and security advisories to apply patches promptly once available. Additionally, consider disabling or removing the plugin if it is not essential, or replacing it with alternative solutions that do not have known vulnerabilities. Regular security assessments and penetration testing focused on WordPress plugins can help identify similar risks proactively.