CVE-2025-66147

Vulnerability

Details

The Coder for Elementor plugin for WordPress, versions up to and including 1.0.13, suffers from a missing authorization vulnerability. This flaw stems from incorrectly configured access control security levels, allowing exploitation of broken access controls [1].

Exploitation

Attackers can exploit this vulnerability without requiring authentication, as the missing authorization check fails to verify user privileges. This makes it possible for unauthenticated or low-privileged users to execute higher-privileged actions [1]. The vulnerability is often used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Impact

Successful exploitation enables attackers to perform unauthorized actions, such as modifying plugin settings or executing code, potentially leading to full site compromise. The CVSS v3 base score of 5.4 (Medium) reflects the moderate severity, but the ease of exploitation and potential for automated attacks increases risk [1].

Mitigation

Users are strongly advised to update the plugin to a patched version immediately. If an update is unavailable, the next best action is to contact a hosting provider or web developer to implement temporary workarounds [1]. No official patch version is specified, so users should monitor vendor channels for updates.