CVE-2025-63077

Vulnerability

Overview

CVE-2025-63077 is a missing authorization vulnerability in the WordPress plugin Happy Addons for Elementor, Elementor, developed by Happy Elementor Addons, affecting versions from n/a through 3.20.3. The issue stems from incorrectly configured access control security levels, which can be exploited by an attacker to perform actions that should require higher privileges [1].

Exploitation

An attacker can exploit this vulnerability without authentication, as the missing authorization check allows unprivileged users to access functions that should be restricted. The attack surface is the plugin's implementation of access controls, which fails to properly verify user capabilities before allowing certain operations [1].

Impact

Successful exploitation could lead to unauthorized modification of settings or content, potentially affecting the security and integrity of the WordPress site. The CVSS v3 base score is 4.3 (Medium), indicating a moderate severity with low impact on confidentiality, integrity, and availability [1].

Mitigation

The vendor has released version 3.20.4.20.4 which addresses the vulnerability. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. For those unable to update, consulting a hosting provider or web developer is recommended [1].