CVE-2025-64244
Description
Missing Authorization vulnerability in Codexpert, Inc Restrict Elementor Widgets, Columns and Sections restrict-elementor-widgets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Restrict Elementor Widgets, Columns and Sections: from n/a through <= 1.12.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in Restrict Elementor Widgets, Columns and Sections plugin (≤1.12) allows unauthenticated attackers to exploit incorrectly configured access controls.
Vulnerability
Overview
Vulnerability
Overview
The Restrict Elementor Widgets, Columns and Sections plugin for WordPress (versions up to and including 1.12) suffers from a missing authorization vulnerability [1]. The issue stems from an incorrectly configured access control security level, which fails to properly enforce permission checks on certain functions [1]. This is classified as a Broken Access Control vulnerability, meaning the plugin does not adequately verify that a valid authorization or nonce token check in a function that would normally require higher privileges [1].
Exploitation
An attacker with low-level authenticated access (e.g., a subscriber or contributor) can exploit this flaw to perform actions that should be restricted to higher-privileged users like administrators [1]. The attack surface is the WordPress admin interface, and no special network position is required beyond being a logged-in user on the target site [1]. The vulnerability is particularly dangerous because it can be used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].
Impact
Successful exploitation allows an unprivileged user to perform actions that should require higher privileges, such as modifying widget restrictions or other access settings [1]. This could lead to unauthorized changes to the site's Elementor widget, column, and section restrictions, potentially exposing content or functionality that the site owner intended to keep private [1]. The CVSS v3 score of 4.3 (Medium) reflects the limited but real risk of privilege escalation within the WordPress context [1].
Mitigation
The vendor has not released a patch for this vulnerability, and the affected version range is through 1.12 [1]. Immediate action is recommended: update the plugin to a patched version if available, or if unable to do so, contact your hosting provider or web developer for assistance [1]. Given the active use in mass-exploit campaigns, this vulnerability should be treated with high priority despite its Medium CVSS score [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.12
- Range: <=1.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.