CVE-2025-68087

Modalier for Elementor, a WordPress plugin, versions up to and including 1.0.6, contain a missing authorization vulnerability. The plugin fails to properly validate access control security levels, resulting in a broken access control issue that can be exploited by attackers without proper privileges [1].

Exploitation requires no authentication, meaning any unauthenticated web visitor can trigger the vulnerable functionality. The attack surface is broad, as the plugin is widely deployed on WordPress sites, and this type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Successful exploitation allows an attacker to perform actions normally restricted to higher-privileged users, such as modifying plugin settings or data. The CVSS v3.1 base score is 5.4 (Medium), reflecting the moderate but real risk of unauthorized access [1].

The vendor Patchedstack recommends updating the plugin immediately. Websites running an affected version should apply the available patch; if updating is not possible, site owners should contact their hosting provider or web developer for assistance [1].