CVE-2025-66163

Vulnerability

Overview

The CVE-2025-66163 vulnerability affects the Masker for Elementor plugin for WordPress, specifically versions from n/a through 1.1.4. It is a missing authorization issue, classified as a Broken Access Control vulnerability [1]. This means that certain functions within the plugin lack proper authorization checks, nonce tokens, or authentication requirements, allowing access to functionality that should be restricted to higher-privileged users.

Exploitation

Attackers can exploit this vulnerability remotely without requiring authentication or any special privileges. The missing authorization checks can be triggered by unprivileged users, potentially including unauthenticated visitors, depending on the specific vulnerable endpoint. The attack surface is the WordPress admin dashboard and plugin functionality exposed via the web interface.

Impact

Successful exploitation allows an attacker to perform actions that should require higher privileges, such as modifying plugin settings or accessing protected data. This could lead to partial compromise of the site's configuration or content. The vulnerability is rated Medium severity with a CVSS v3 score of 5.4, and patchstack notes that similar vulnerabilities are often used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vendor has not released a patched version; users must update to a version beyond 1.1.4 if available, or apply the recommendations from the advisory: update the plugin immediately or contact a web developer for assistance [1]. No workaround is documented, so the primary mitigation is to disable or replace the plugin if an update is not available.