CVE-2025-64210

Vulnerability

Overview

The Masterstudy Elementor Widgets plugin for WordPress, versions 1.2.4 and earlier, contains a missing authorization vulnerability. The issue stems from incorrectly configured access control security levels, which means the plugin fails to properly verify user permissions before allowing certain actions. This is classified as a broken access control vulnerability, where a missing authorization, authentication, or nonce token check can lead to unauthorized privilege escalation [1].

Exploitation

An attacker can exploit this vulnerability without needing any prior authentication, as the access control checks are missing entirely. The attack surface is the WordPress admin interface, and no special network position is required—any unauthenticated user can potentially trigger the vulnerable functionality. The vulnerability is considered low severity by the vendor, but it is noted that such issues are often used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Impact

Successful exploitation allows an attacker to perform actions that should require higher privileges, such as modifying plugin settings or content. This could lead to unauthorized changes to the website, including injecting malicious content or altering widget configurations. The CVSS v3 score of 5.4 reflects a medium severity, with the primary impact being on integrity and availability [1].

Mitigation

The vulnerability has been patched in version 1.2.5 of the plugin. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins to ensure timely protection [1].