CVE-2026-25416
Awaiting Analysis Awaiting Analysis - Queue
Missing Authorization in News Kit Elementor Addons

Publication date: 2026-02-19

Last updated on: 2026-02-19

Assigner: Patchstack

Description
Missing Authorization vulnerability in blazethemes News Kit Elementor Addons news-kit-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects News Kit Elementor Addons: from n/a through <= 1.4.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25416
EUVD
EUVD-2026-8200
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
blazethemes news_kit_elementor_addons From 1.0.0 (inc) to 1.4.2 (inc)
blazethemes news_kit_elementor_addons to 1.4.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25416 is a broken access control vulnerability in the WordPress News Kit Elementor Addons Plugin versions up to and including 1.4.2.

The issue arises from missing authorization, authentication, or nonce token checks within certain plugin functions.

This allows unprivileged users, such as subscribers, to perform actions that should be restricted to higher-privileged roles like developers.

It is classified under the OWASP Top 10 category A1: Broken Access Control.

Impact Analysis

The vulnerability could allow users with low privileges to perform actions reserved for higher-privileged roles, potentially leading to unauthorized changes or access within the affected WordPress plugin.

However, the severity is considered low with a CVSS score of 4.3, indicating a low likelihood of exploitation and minimal impact.

No official patch is currently available, so monitoring and mitigation through security services is recommended.

Compliance Impact

I don't know

Detection Guidance

This vulnerability arises from missing authorization and authentication checks within certain functions of the News Kit Elementor Addons plugin, allowing lower-privileged users to perform higher-privileged actions.

Detection would involve reviewing access control configurations and monitoring for unauthorized actions performed by subscriber-level users or other low-privileged roles.

Since this is a WordPress plugin vulnerability, specific commands are not provided in the available resources. However, administrators can audit user role permissions and check plugin function calls for missing authorization.

Mitigation Strategies

No official patch is currently available for this vulnerability.

Patchstack recommends monitoring affected sites and emphasizes that the impact is minimal with low likelihood of exploitation.

Immediate mitigation steps include limiting user roles and permissions to the minimum necessary, auditing plugin usage, and considering disabling or removing the News Kit Elementor Addons plugin if possible until a patch is released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25416. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart