CVE-2025-68085

Vulnerability

Overview The Buttoner for Elementor WordPress plugin, versions up to and including 1.0.6, contains a missing authorization vulnerability. The plugin fails to properly verify access control security levels, allowing an attacker to exploit incorrectly configured access controls [1]. This flaw is classified as a Settings Change vulnerability under CVE-2025-68085.

Exploitation

Details The vulnerability can be exploited without authentication, as the missing authorization check does not require any user privileges. Attackers can target any WordPress site running the vulnerable plugin version, regardless of traffic size or popularity. This type of vulnerability is commonly used in mass-exploit campaigns, where attackers automate attacks against thousands of websites simultaneously [1].

Impact

Successful exploitation allows an attacker to change plugin settings without authorization. While the exact settings that can be modified are not detailed in the advisory, the ability to alter configuration could lead to further compromise, such as redirecting users, injecting malicious content, or disabling security features. The CVSS v3 base score is 5.4 (Medium), reflecting the potential for significant impact with low complexity and no required privileges [1].

Mitigation

The vendor has not released a patched version beyond 1.0.6, so immediate action is required. The recommended action is to update the plugin as soon as a fixed version becomes available. If updating is not possible, users should contact their hosting provider or web developer for assistance. Given the active exploitation in mass campaigns, this vulnerability should be treated with high priority [1].