Medium severity5.4NVD Advisory· Published Dec 31, 2025· Updated Apr 23, 2026

CVE-2025-66155

Description

Missing Authorization vulnerability in merkulove Questionar for Elementor questionar-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Questionar for Elementor: from n/a through <= 1.1.7.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing authorization in Questionar for Elementor allows unauthenticated attackers to exploit broken access controls, affecting versions <=1.1.7.

Vulnerability

Overview

The Questionar for Elementor WordPress plugin (versions up to and up to 1.1.7) contains a Missing Authorization vulnerability, classified as a Broken Access Control issue. This means the plugin fails to properly verify that a user has the necessary permissions before executing certain functions or accessing protected resources [1].

Exploitation

Attackers can exploit this incorrectly configured access control by sending crafted requests to the vulnerable endpoints without needing any authentication or elevated privileges. The vulnerability is particularly concerning because it can be leveraged in mass-exploit campaigns targeting thousands of WordPress sites simultaneously, regardless of their traffic or popularity [1]. /a].

Impact

Successful exploitation allows an unprivileged user (or an unauthenticated remote attacker) to perform actions that should only be available to higher-privileged roles, such as administrators. This could lead to unauthorized modification of plugin settings, data exposure, or further compromise of the WordPress installation [1].

Mitigation

The vendor has not released a patch beyond version 1.1.7; affected users should immediately update the plugin to the latest available version. If updating is not possible, it is recommended to contact a hosting provider or your hosting provider or web developer for assistance or to disable the plugin until a fix is deployed [1].

References

Broken Access Control in WordPress Questionar for Elementor Plugin

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Questionar Elementorinferred2 versions
<=1.1.7+ 1 more
- (no CPE)range: <=1.1.7
- (no CPE)range: <=1.1.7
Package: https://wordpress.org/plugins/questionar-elementor

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/Wordpress/Plugin/questionar-elementor/vulnerability/wordpress-questionar-for-elementor-plugin-1-1-7-broken-access-control-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000