CVE-2025-54037

Vulnerability

Overview The News Kit Elementor Addons plugin for WordPress, versions up to and including 1.3.4, suffers from a missing authorization vulnerability [1]. This flaw stems from an incorrectly configured access control security level, which fails to properly verify user permissions before allowing certain actions. As a result, unauthenticated or low-privileged users can perform functions that should require higher privileges.

Exploitation

Attackers can exploit this vulnerability by sending specially crafted requests to the affected plugin endpoints without needing any authentication [1]. The vulnerability is particularly dangerous in mass-exploit campaigns, where attackers target thousands of websites indiscriminately, regardless of their size or popularity [1]. No special network access or prerequisites are required beyond targeting a vulnerable site.

Impact

Successful exploitation allows an attacker to execute privileged actions that should be restricted to authorized users [1]. This could include modifying or deleting content, changing plugin settings, or other administrative operations depending on the exact missing authorization checks. The CVSS base score of 5.4 (Medium) reflects the potential for significant but limited impact.

Mitigation

The vulnerability has been patched in version 1.3.5 of the plugin. Users are strongly advised to update to the latest version immediately [1]. If updating is not possible, consider disabling the plugin or consulting with a hosting provider for temporary workarounds. Patchstack users can enable auto-updates for vulnerable plugins to ensure future protection [1].