CVE-2025-66159

The vulnerability is a missing authorization check in the Walker for Elementor plugin for WordPress, affecting versions from n/a through 1.1.6. This means that the plugin fails to verify that a user has the necessary permissions to perform certain actions, leading to a Broken Access Control issue [1].

An attacker can exploit this by sending a crafted request to a vulnerable endpoint without needing any special privileges. The lack of proper access control allows unprivileged users to execute functions that should be restricted to higher-privileged roles, such as administrators. This type of vulnerability is commonly targeted in mass-exploit campaigns due to the widespread use of the plugin and the low complexity of exploitation [1].

Successful exploitation could enable an attacker to gain unauthorized access to administrative capabilities, potentially allowing them to modify site settings, inject malicious content, or take full control of the WordPress installation. The impact is heightened by the plugin's popularity and the ease with which attackers can automate attacks against thousands of sites [1].

Users are strongly advised to update the Walker for Elementor plugin to version 1.1.7 or later, which includes the necessary authorization checks. If immediate updating is not possible, it is recommended to contact a hosting provider or web developer for assistance in implementing temporary workarounds or access controls to mitigate the risk [1].