CVE-2026-24605

Vulnerability

Description A missing authorization vulnerability, specifically a Broken Access Control issue, exists in the WordPress plugin X Addons for Elementor (versions ≤ 1.0.23) [1]. The plugin fails to properly verify permissions or nonce tokens in certain functions, which can lead to unauthenticated users executing privileged actions [1].

Exploitation

Method An attacker can exploit this vulnerability without any authentication by sending crafted requests to the affected plugin's endpoints [1]. Since the access control checks are missing or incorrectly configured, no special privileges or network position is required beyond being able to reach the WordPress installation [1].

Impact

A successful attack could allow an unprivileged user to perform actions normally restricted to higher-privilets such as modifying settings or accessing sensitive data [1]. This type of vulnerability details indicate that this flaw is commonly used in mass exploitation campaigns against thousands of websites simultaneously [1].

Mitigation

The vendor has patched the issue in version 1.0.24 or later [1]. Users are strongly advised to update the plugin immediately. Those unable to update should contact their hosting provider or developer for assistance [1].