CVE-2025-66140
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-01-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | uper_for_elementor | to 1.0.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-66140 is a Broken Access Control vulnerability in the WordPress plugin "Uper for Elementor" (versions up to 1.0.5). It occurs due to missing authorization, authentication, or nonce token checks in certain functions, which allows unprivileged users (like subscribers or developers) to perform actions that normally require higher privileges. [1]
How can this vulnerability impact me? :
This vulnerability allows users without proper privileges to perform restricted actions, potentially leading to unauthorized changes or access within the affected WordPress site. However, the severity is considered low (CVSS 5.4), and exploitation is unlikely, so the overall risk is minimal. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking for unauthorized access attempts or actions performed by low-privilege users on the Uper for Elementor plugin functions. Since the vulnerability arises from missing authorization checks, monitoring logs for unexpected privilege escalations or unusual API calls related to the plugin may help. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the Uper for Elementor plugin to trusted users only, monitoring for suspicious activity, and applying any available security controls such as limiting user roles. Since no official fix or patched version is currently available, consider disabling the plugin if possible or using Patchstack's mitigation and security intelligence services to help protect against exploitation. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.