CVE-2025-58251

Vulnerability

Overview The vulnerability is a broken access control issue in the Sticky Header Effects for Elementor WordPress plugin, versions up to and including 2.1.2. The root cause is a missing authorization check (lack of proper capability or nonce verification) in one or more plugin functions [1]. This flaw falls under the category of 'Missing Authorization' — an attacker can execute actions that should be restricted to higher-privileged users [1].

Exploitation

Conditions No authentication is required to exploit this vulnerability. An attacker can send specially crafted requests to a WordPress site running the affected plugin to trigger the missing authorization. The attack vector is network-based, with low complexity, and does not require user interaction. Since it's a broken access control flaw, it can be leveraged in mass-exploit campaigns targeting thousands of sites simultaneously, irrespective of site popularity or traffic [1].

Impact

Successful exploitation allows an unauthenticated attacker to perform unauthorized actions, potentially modifying plugin settings or executing operations normally reserved for administrators. The CVSS v3.1 score is 4.3 (Medium), indicating a moderate severity. However, in the WordPress ecosystem, the risk can be elevated when combined with other vulnerabilities [1].

Mitigation

The vulnerability has been fixed in version 2.1.3 of the plugin, released by the vendor POSIMYTH. Users are strongly advised to update immediately. If auto-update is enabled, Patchstack users can rely on automatic updates. As a workaround, if immediate update is not possible, contacting the hosting provider or developer for assistance is recommended [1].