CVE-2025-64274

The WPKoi Templates for Elementor plugin for WordPress, versions up to and including 3.4.4, suffers from a missing authorization vulnerability. This is a broken access control issue where the plugin fails to properly verify user permissions or nonce tokens, allowing unprivileged users to perform actions that should require higher privileges [1].

Exploitation does not require authentication, as the access control checks are incorrectly configured. Attackers can exploit this by sending crafted requests to the plugin's endpoints, bypassing intended security restrictions. The vulnerability is considered low severity but is known to be used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

An attacker who successfully exploits this vulnerability can perform unauthorized actions within the plugin's functionality, potentially leading to further compromise of the WordPress site. The exact impact depends on the specific missing authorization, but it could allow modification of templates or other restricted operations [1].

The vulnerability has been addressed in version 3.4.5 of the plugin. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].