CVE-2025-68981

Vulnerability

CVE-2025-68981 is a missing authorization vulnerability in the HomeFix Elementor Portfolio WordPress plugin, affecting versions up to and including 1.0.1. The plugin fails to properly check access control security levels, allowing exploitation of incorrectly configured access controls [1].

Exploitation

Attackers can exploit this flaw without requiring authentication or elevated privileges, as the authorization checks are missing for certain functions. The vulnerability is classified as a broken access control issue, which means unprivileged users can perform actions that should be limited to higher-privileged roles [1].

Impact

Successful exploitation could allow an attacker to modify or delete content, access unauthorized data, or perform other unauthorized actions within the affected WordPress site. While the CVSS score is 5.3 (Medium), such vulnerabilities are often targeted in mass-exploit campaigns against multiple websites [1].

Mitigation

The vulnerability has been addressed in version 1.0.4 of the plugin. Users should update to this version or later to remediate the issue. Patchstack recommends enabling auto-updates for vulnerable plugins [1].