CVE-2025-66166

Vulnerability

Overview The Lottier for Elementor plugin for WordPress, versions up to and including 1.0.9, suffers from a missing authorization vulnerability. This issue arises from incorrectly configured access control security levels, allowing an attacker to perform actions normally reserved for higher-privileged users [1].

Exploitation

Details This vulnerability does not require authentication or only low-level privileges, making it exploitable by any unprivileged user. The lack of proper authorization checks in certain functions enables an attacker to execute restricted actions, such as modifying settings or accessing sensitive data, without the necessary permissions [1].

Impact

Successful exploitation can lead to unauthorized access to administrative functions, data exposure, or site compromise. The reference notes that such vulnerabilities are often used in mass-exploit campaigns, targeting thousands of websites regardless of their size or popularity [1].

Mitigation

The vendor has likely released a fix in a version beyond 1.0.9. Users are strongly advised to update the plugin immediately. If an update is not possible, contacting the hosting provider or a web developer for assistance is recommended [1].