CVE-2025-67588

A missing authorization vulnerability exists in the Elementor Website Builder plugin for WordPress, affecting versions from n/a through 3.33.0. This flaw is categorized as a broken access control issue, meaning a function lacks a proper authorization, authentication, or nonce token check. As a result, an unprivileged user could execute higher privileged actions without permission[1].

The attack surface is remote and does not require authentication if the access control is missing entirely, but exploitation may still be limited based on specific plugin configurations. Given that Elementor is widely used, this vulnerability could be leveraged in mass-exploit campaigns, targeting thousands of websites simultaneously regardless of their size or popularity[1].

The impact is considered medium severity (CVSS v3.1 4.3), as an attacker could gain unauthorized access to administrative features or modify content without proper permissions. However, the official advisory notes the risk is low and exploitation is unlikely under typical conditions. The main concern is the potential for broader abuse if chained with other issues.

Elementor has released version 3.33.1 to patch this vulnerability. Users are strongly advised to update immediately or enable auto-update for vulnerable plugins via Patchstack. If updating is not possible, contacting a hosting provider or web developer is recommended as a workaround[1].