CVE-2025-66137 – This CVE describes a Missing Authorization vuln... (How to Fix)

📋 TL;DR

This CVE describes a Missing Authorization vulnerability in the Searcher for Elementor WordPress plugin that allows attackers to bypass access controls. Attackers can exploit incorrectly configured security levels to perform unauthorized actions. All WordPress sites running Searcher for Elementor version 1.0.3 or earlier are affected.

💻 Affected Systems

Products:

merkulove Searcher for Elementor

Versions: n/a through <= 1.0.3

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress installations with the vulnerable plugin version

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise through privilege escalation, data theft, or unauthorized content modification

🟠

Likely Case

Unauthorized access to restricted functionality, potential data exposure, or content manipulation

🟢

If Mitigated

Limited impact with proper access controls and monitoring in place

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires understanding of WordPress access control mechanisms

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: >1.0.3

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/searcher-elementor/vulnerability/wordpress-searcher-for-elementor-plugin-1-0-3-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find 'Searcher for Elementor'
4. Click 'Update Now' if update available
5. If no update, deactivate and remove plugin
6. Install latest version from WordPress repository

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate Searcher for Elementor plugin until patched

wp plugin deactivate searcher-elementor

Restrict plugin access

all

Use WordPress security plugins to restrict access to plugin functionality

🧯 If You Can't Patch

Implement strict network access controls to limit plugin exposure
Enable detailed logging and monitoring for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Searcher for Elementor version

Check Version:

wp plugin get searcher-elementor --field=version

Verify Fix Applied:

Verify plugin version is >1.0.3 and test access control functionality

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to plugin endpoints
Unexpected privilege escalation events

Network Indicators:

Unusual requests to /wp-content/plugins/searcher-elementor/ endpoints

SIEM Query:

source="wordpress" AND (plugin="searcher-elementor" AND (action="unauthorized" OR status="403"))

📊 Metadata

CVE ID: CVE-2025-66137

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

EPSS Score: 0.04% exploit probability (13.2th percentile)

Published: January 22, 2026

Last Updated: January 26, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/searcher-elementor/vulnerability/wordpress-searcher-for-elementor-plugin-1-0-3-broken-access-control-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66137, you might also want to check these: