Merkulove Masker for Elementor contains a missing authorization flaw that allows users without administrative privileges to exploit poorly configured access control levels. The defect originates from a failure to verify the caller’s role before processing privileged requests, enabling unauthorized manipulation of plugin settings or site content. As a classic broken access control vulnerability (CWE‑862), any actor that can reach the plugin’s endpoints could gain capabilities normally reserved for administrators, potentially compromising the confidentiality, integrity, or availability of the site’s data.

All installations of Masker for Elementor from its initial release through version 1.1.4 are affected. The vulnerability applies to the merkulove plugin, which is a WordPress add‑on hosted on WordPress.org and commonly used to add visual masking features to Elementor. No specific WordPress core version requirements are listed, so any WordPress site running a vulnerable plugin instance is at risk.

The CVSS score of 5.4 indicates a moderate baseline risk. The EPSS score, which can be interpreted as less than 1%, suggests that exploitation in the wild is currently low, and the issue is not yet catalogued in the CISA KEV database. The likely attack vector is HTTP requests to the plugin’s administrative endpoints, which are accessed through the web interface. Based on the description, it is inferred that an authenticated user with lower privileges or, in the case of an unprotected admin area, an unauthenticated attacker could exploit this flaw by sending crafted requests to modify plugin settings or content. Given the moderate severity and low exploit probability, administrators should prioritize patching or mitigating the access control gaps to prevent potential privilege escalation.