CVE-2025-66157

Vulnerability

Overview The Sliper for Elementor WordPress plugin (sliper-elementor) versions up to and including 1.0.0.10 contain a missing authorization vulnerability. This flaw stems from incorrectly configured access control security levels, which fail to properly verify user permissions before allowing certain actions [1].

Exploitation

Details An attacker can exploit this vulnerability without needing any special privileges, as the missing authorization check allows unauthenticated or low-privileged users to access functions that should be restricted. The attack surface is the plugin's administrative or the plugin's administrative or AJAX endpoints that lack proper capability or nonce verification [1].

Impact

Successful exploitation could allow an attacker to perform unauthorized actions, such as modifying plugin settings or accessing sensitive data, depending on the specific missing checks. This type of broken access control vulnerability is commonly used in mass-exploit campaigns targeting thousands of WordPress sites [1]. /a].

Mitigation

The vendor has not released a patched version beyond .0.10 at the time of publication. Users are advised to update the plugin immediately if a fix becomes available, or to contact their hosting provider for assistance. As a workaround, consider disabling the plugin until a secure version is released [1].