Merkulove Walker for Elementor contains a missing authorization flaw that allows users to bypass correctly configured access control settings, enabling unauthorized manipulation of the plugin’s functionality. The vulnerability is categorized as CWE‑862, indicating that protected resources can be accessed without proper verification. Attackers who can exploit this flaw may gain unauthorized access to plugin features, potentially altering content or executing unintended actions.

The weakness affects the WordPress plugin Walker for Elementor versions up to and including 1.1.6. The plugin is hosted by Merkłove and is distributed through the WordPress plugin repository. WordPress sites running any of these versions are susceptible until they are updated to a newer release.

With a CVSS base score of 5.4, the flaw presents a medium-severity risk. The EPSS score being less than 1 % suggests that exploitation attempts are currently uncommon. The vulnerability is not listed in the CISA KEV catalog, indicating no known active exploitation campaigns. While the advisory does not state an exact attack vector, the wording implies that the attack requires access to the plugin’s administrative functions, either through authenticated users or by triggering exposed endpoints, but this is inferred rather than explicitly documented.