CVE-2025-57995

Vulnerability

Overview The DethemeKit For Elementor plugin for WordPress (versions up to and including 2.1.10) contains a missing authorization vulnerability. This is classified as a Broken Access Control issue, meaning the plugin fails to properly enforce access control checks on certain functions, allowing unauthenticated or low-privilege users to execute actions that should require higher privileges [1].

Attack

Vector and Exploitation Exploitation does not require authentication or any special privileges, as the plugin lacks necessary nonce or capability checks. An attacker can send crafted requests to the vulnerable endpoints, targeting any WordPress site running the affected plugin version. This vulnerability is likely used in mass-exploit campaigns due to its ease of exploitation [1].

Impact

A successful attack can allow an unprivileged user to perform privileged actions, such as modifying settings or data that should be protected. This can lead to partial loss of integrity and potentially further compromise of the WordPress installation if combined with other weaknesses. The CVSS v3 base score of 4.3 (Medium) reflects the moderate scope of impact but ease of exploitation increases real-world risk [1].

Mitigation

Users are strongly advised to update the DethemeKit For Elementor plugin to the latest available version. For those unable to update immediately, a workaround may involve restricting access to the plugin's functionality via a web application firewall or contacting the hosting provider for assistance. The vendor has likely released a patch; however, if the plugin is no longer maintained, sites may remain vulnerable [1].