CVE-2025-67540

Vulnerability

Overview

The Animation Addons for Elementor plugin for WordPress (versions up to and including 2.4.5) suffers from a Missing Authorization vulnerability [1]. This flaw stems from incorrectly configured access control security levels, allowing exploitation of the plugin's content deletion functionality without proper permission checks.

Exploitation

Details

Attackers can exploit this vulnerability remotely without requiring authentication, making it particularly dangerous for mass-exploit campaigns [1]. The plugin's widespread use on WordPress sites increases the attack surface, and malicious actors can target thousands of websites simultaneously regardless of their size or popularity.

Impact

Successful exploitation enables an attacker to delete arbitrary content from the affected website, including images, posts, and pages [1]. This can lead to data loss, site defacement, and potential disruption of business operations.

Mitigation

The vendor has released version 2.4.6 which resolves the vulnerability [1]. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins to ensure timely protection.