CVE-2025-22671

Vulnerability

The Disable Elementor Editor Translation plugin for WordPress versions up to and including 1.0.2 contains a missing authorization vulnerability in the saving of control values. The plugin fails to properly verify user capabilities before processing requests to modify its settings, allowing users with lower privileges to alter plugin configuration. This issue affects all versions from n/a through 1.0.2 [1].

Exploitation

An attacker must be authenticated as a user on the WordPress site, such as a subscriber or contributor, who can send crafted HTTP requests to the plugin's settings endpoint. No special network position or additional user interaction is required beyond the attacker's own actions. The attacker can directly submit a request to save control values without proper authorization checks.

Impact

Successful exploitation allows an authenticated attacker to modify the plugin's settings, potentially disabling the translation feature or altering other configuration options. The impact is limited to the plugin's functionality and does not provide direct access to other parts of the WordPress installation or data.

Mitigation

The vulnerability is fixed in version 1.0.3 of the Disable Elementor Editor Translation plugin, released on 2025-01-26 [1]. Users should update to version 1.0.3 or later. No workarounds are available for versions 1.0.2 and earlier.