CVE-2026-25416
Missing Authorization in News Kit Elementor Addons
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| blazethemes | news_kit_elementor_addons | From 1.0.0 (inc) to 1.4.2 (inc) |
| blazethemes | news_kit_elementor_addons | to 1.4.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25416 is a broken access control vulnerability in the WordPress News Kit Elementor Addons Plugin versions up to and including 1.4.2.
The issue arises from missing authorization, authentication, or nonce token checks within certain plugin functions.
This allows unprivileged users, such as subscribers, to perform actions that should be restricted to higher-privileged roles like developers.
It is classified under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
The vulnerability could allow users with low privileges to perform actions reserved for higher-privileged roles, potentially leading to unauthorized changes or access within the affected WordPress plugin.
However, the severity is considered low with a CVSS score of 4.3, indicating a low likelihood of exploitation and minimal impact.
No official patch is currently available, so monitoring and mitigation through security services is recommended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization and authentication checks within certain functions of the News Kit Elementor Addons plugin, allowing lower-privileged users to perform higher-privileged actions.
Detection would involve reviewing access control configurations and monitoring for unauthorized actions performed by subscriber-level users or other low-privileged roles.
Since this is a WordPress plugin vulnerability, specific commands are not provided in the available resources. However, administrators can audit user role permissions and check plugin function calls for missing authorization.
What immediate steps should I take to mitigate this vulnerability?
No official patch is currently available for this vulnerability.
Patchstack recommends monitoring affected sites and emphasizes that the impact is minimal with low likelihood of exploitation.
Immediate mitigation steps include limiting user roles and permissions to the minimum necessary, auditing plugin usage, and considering disabling or removing the News Kit Elementor Addons plugin if possible until a patch is released.