Description
Missing Authorization vulnerability in merkulove Lottier lottier-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lottier: from n/a through <= 1.1.1.
Published: 2025-12-16
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a missing authorization flaw that allows an attacker to perform actions normally restricted to higher‑privileged users. The weakness lets an unauthorized or minimally privileged user potentially read or modify content beyond their intended scope, increasing confidentiality and integrity risk. The weakness is identified as CWE‑862, a classic broken access control issue.

Affected Systems

The Lottier Gutenberg plugin for WordPress by merkulove is affected, version 1.1.1 and earlier. The vulnerability applies to all installations of the plugin where the default access control has not been reconfigured to restrict operation levels.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score is under 1 %, meaning the exploitation probability is low at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be through an authenticated session or a user with limited privileges; an attacker would need to discover a user account or otherwise gain access, then exploit the missing authorization check to elevate privileges within the context of the plugin’s functionality.

Generated by OpenCVE AI on April 29, 2026 at 11:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Lottier plugin to a version newer than 1.1.1.
  • Restrict WordPress user roles to the minimal capabilities required for plugin operation.
  • Review and test the plugin’s operations to ensure no privileges are implicitly granted to lower‑privilege users.

Generated by OpenCVE AI on April 29, 2026 at 11:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 16 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in merkulove Lottier lottier-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lottier: from n/a through <= 1.1.1.
Title WordPress Lottier plugin <= 1.1.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:10:54.094Z

Reserved: 2025-11-21T11:23:54.908Z

Link: CVE-2025-66167

cve-icon Vulnrichment

Updated: 2025-12-16T15:57:55.506Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:15:59.057

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-66167

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:30:09Z

Weaknesses