WordPress LA-Studio Element Kit for Elementor plugin <= 1.3.6 - Broken Access Control vulnerability

Vulnerability

Missing Authorization vulnerability in the LA-Studio Element Kit for Elementor plugin for WordPress [1]. The plugin versions from n/a through 1.3.6 lack proper authorization checks on certain functionality, allowing unauthenticated or low-privileged users to perform actions that should require higher privileges. The plugin is installed as part of WordPress and Elementor page builder.

Exploitation

An attacker can exploit this by sending crafted requests to the WordPress site without needing authentication, or with minimal privileges. The exact mechanism is not detailed in available references, but missing authorization vulnerabilities typically involve direct access to endpoints or AJAX actions that bypass capability checks [1].

Impact

Successful exploitation may lead to unauthorized modification of settings, data exposure, or other actions depending on the affected functionality. The impact could include information disclosure or privilege escalation [1].

Mitigation

The vulnerability is fixed in versions 1.3.7 and above. Users should update to the latest version (1.6.0) available from the WordPress plugin repository [1]. If unable to update, consider disabling the plugin until a patch is applied.