CVE-2025-55712

Vulnerability

Overview The Plus Addons for Elementor Page Builder Lite plugin for WordPress versions up to 6.3.13 suffers from a missing authorization vulnerability [1]. This broken access control issue means that certain functions lack proper authorization checks, such as nonce tokens or capability verification, allowing unauthenticated or low-privileged users to access higher-privileged actions.

Exploitation

Attackers can exploit this vulnerability remotely without needing authentication, or with minimal privileges, to perform actions intended for administrators [1]. The Patchstack advisory notes that such vulnerabilities are frequently used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity.

Impact

Successful exploitation could allow an attacker to modify plugin settings, inject malicious content, or otherwise compromise the site's security. The CVSS score of 6.5 (Medium) reflects the potential for significant impact, though the vendor rates it as low severity.

Mitigation

The vulnerability is patched in version 6.3.14. Users are strongly advised to update immediately. If unable to update, consult a hosting provider or developer for assistance. Patchstack users can enable auto-updates for vulnerable plugins [1].