CVE-2025-66167

CVE-2025-66167 is a Missing Authorization vulnerability in the Lottier lottier-gutenberg WordPress plugin, affecting versions from n/a through 1.1.1. The root cause is a broken access control issue, meaning the plugin lacks proper authorization, authentication, or nonce token checks in a function that should require higher privileges [1].

Attackers can exploit this vulnerability by sending crafted requests to the vulnerable function without needing elevated privileges. This type of vulnerability is frequently leveraged in mass-exploit campaigns targeting thousands of websites, regardless of site size or popularity [1]. No authentication is required for exploitation, making the attack surface broad.

Successful exploitation allows an unprivileged attacker to execute higher privileged actions, potentially leading to unauthorized modifications, data exposure, or further compromise of the WordPress site. The CVSS v3 score is 5.4 (Medium), reflecting the moderate impact and ease of exploitation [1].

As of the publication date (2025-12-16), users are advised to update the plugin to a patched version immediately. If updating is not possible, contacting the hosting provider or a web developer for assistance is recommended [1]. No workaround details are provided, and the vendor has not released a patch beyond the affected version range.