CVE-2025-66164
Description
Missing Authorization vulnerability in merkulove Laser laser allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Laser: from n/a through <= 1.1.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in WordPress Laser plugin (<=1.1.1) allows unauthenticated privilege escalation; update immediately.
The Laser plugin for WordPress, versions 1.1.1 and earlier, contains a missing authorization vulnerability. This flaw stems from improperly configured access control security levels, allowing unauthenticated or low-privileged users to execute higher-privileged actions without proper checks [1].
Exploitation does not require authentication in many cases, making it suitable for automated mass-exploit campaigns. An attacker can send crafted requests to the vulnerable endpoint, bypassing the intended access restrictions [1].
Successful exploitation enables an attacker to escalate privileges, potentially gaining administrative control over the WordPress site. This could lead to full site compromise, including data theft, defacement, or further malware injection [1].
The vendor has not released a patch for versions beyond 1.1.1, so affected users should update the plugin to the latest available version. If an update is not possible, applying a Web Application Firewall rule or disabling the plugin may serve as a temporary workaround [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.1.1+ 1 more
- (no CPE)range: <=1.1.1
- (no CPE)range: <= 1.1.1
Package: https://wordpress.org/plugins/laser
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.