CVE-2025-68088

Vulnerability

The Huger for Elementor plugin for WordPress versions n/a through 1.1.5 contains a missing authorization vulnerability. Specifically, the plugin fails to properly verify access control security levels, allowing exploitation of incorrectly configured access controls. This issue is classified as a broken access control vulnerability [1].

Exploitation

The vulnerability can be exploited without any special privileges or authentication, making it accessible to unauthenticated attackers. Attackers can target thousands of websites at once using mass-exploit campaigns, regardless of site traffic or popularity [1]. The attack complexity is low, and no user interaction is required.

Impact

Successful exploitation allows an attacker to perform actions that should require higher privileges, such as modifying settings or data, leading to potential site takeover or data breach. The CVSS v3 score is 5.4 (Medium) [1].

Mitigation

The vendor has not released a patched version beyond 1.1.5? The description states 'through <= 1.1.5', so users should update to a version newer than 1.1.5 if available. If unable to update, site administrators should contact their hosting provider or web developer for assistance [1]. As this vulnerability is known to be used in mass attacks, immediate action is recommended.