CVE-2025-64211

CVE-2025-64211 is a missing authorization vulnerability in the Masterstudy Elementor Widgets plugin for WordPress, affecting versions up to and including 1.2.4. The flaw arises because the plugin fails to properly enforce access controls on certain functionality, allowing users to access actions that should be restricted by ACLs [1].

An attacker can exploit this vulnerability without authentication by sending specially crafted requests to the affected plugin's endpoints. Since no valid nonce or capability check is performed, any unauthenticated visitor can trigger privileged operations that were intended only for authenticated users with higher roles [1].

The impact is that an attacker can access functionality not properly constrained by ACLs, which may include administrative actions such as modifying content or settings, depending on the specific exposed functions. While the CVSS score is 5.3 (Medium), the vendor has assessed the severity as low and considers exploitation unlikely [1].

The vulnerability has been addressed in version 1.2.5 of the plugin. Users are strongly advised to update immediately. If automatic updates are enabled via Patchstack or another solution, the fix can be applied seamlessly. Website administrators unable to update should consult their hosting provider for assistance [1].