CVE-2026-25028

Vulnerability

Description The ElementInvader Addons for Elementor plugin for WordPress versions through 1.4.1 suffers from a missing authorization vulnerability. This flaw stems from incomplete access control checks, allowing attackers to exploit incorrectly configured security levels without proper authentication [1].

Exploitation

Attack Surface Attackers can trigger this vulnerability without any prior authentication, making it accessible to unauthenticated web visitors. The issue is particularly dangerous because it can be automated and used in mass-exploit campaigns targeting thousands of WordPress sites simultaneously [1].

Impact

Successful exploitation enables an unprivileged attacker to execute actions that should require higher privileges, such as modifying plugin settings or accessing sensitive data. The CVSS v3 base score of 5.4 indicates a medium severity, but the ease of exploitation raises practical risk [1].

Mitigation

The plugin vendor has released version 1.4.2, which addresses the missing authorization checks. Users are strongly advised to update immediately. For Patchstack users, enabling auto-updates for vulnerable plugins is recommended [1].