CVE-2025-66165

Vulnerability

Overview

CVE-2025-66165 is a missing authorization vulnerability in the Lottier for WPBakery plugin (lottier-wpbakery) for WordPress, affecting versions from n/a through 1.1.7. The issue stems from incorrectly configured access control security levels, which can be exploited by attackers to perform actions that should require higher privileges [1].

Exploitation

This broken access control vulnerability can be exploited without authentication, as the plugin fails to properly verify user permissions or nonce tokens in certain functions. Attackers can target thousands of websites simultaneously in mass-exploit campaigns, regardless of site size or popularity [1].

Impact

Successful exploitation allows an unprivileged attacker to execute higher-privileged actions, potentially leading to unauthorized modification of site content, settings, or other administrative functions. The CVSS v3 base score is 5.4 (Medium), reflecting the moderate but real risk to affected sites [1].

Mitigation

The vendor has not released a patched version as of the publication date. Immediate action is recommended: update the plugin to the latest available version. If an update is not possible, contact your hosting provider or web developer for assistance. This vulnerability is known to be used in mass-exploit campaigns [1].