CVE-2025-24618
Published: 24 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-24618 is a missing authorization vulnerability, tied to CWE-862 (Missing Authorization), in the ElementInvader Addons for Elementor WordPress plugin (elementinvader-addons-for-elementor). The flaw enables exploitation of incorrectly configured access control security levels and affects all versions from n/a through 1.3.1. Published on 2025-01-24, it carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), indicating network accessibility with low attack complexity.
Low-privileged remote users (PR:L) can exploit this vulnerability without user interaction over the network. Exploitation leads to low-impact integrity violations (I:L), such as unauthorized modifications, while preserving confidentiality and availability.
Patchstack documents this as a broken access control vulnerability in plugin version 1.3.1, with details available in their database advisory at https://patchstack.com/database/Wordpress/Plugin/elementinvader-addons-for-elementor/vulnerability/wordpress-elementinvader-addons-for-elementor-plugin-1-3-1-broken-access-control-vulnerability?_s_id=cve.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a missing authorization vulnerability in a public-facing WordPress plugin, directly enabling remote exploitation of the application by low-privileged authenticated users over the network.