CVE-2026-25398
Missing Authorization in Vertex Addons for Elementor
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| webilia_inc | vertex_addons_for_elementor | to 1.6.4 (inc) |
| webilia_inc | vertex_addons_for_elementor | From 1.0.0 (inc) to 1.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25398 is a medium priority Broken Access Control vulnerability in the WordPress plugin "Vertex Addons for Elementor" versions up to and including 1.6.4.
The vulnerability arises from missing authorization, authentication, or nonce token checks in certain plugin functions, which allows unprivileged users to perform actions that should be restricted to higher-privileged roles.
This issue is classified under OWASP Top 10 A1: Broken Access Control and has a CVSS severity score of 6.5, indicating a moderate risk.
How can this vulnerability impact me? :
This vulnerability can allow attackers with low privileges to perform actions reserved for higher-privileged users, potentially compromising the security and integrity of your WordPress site.
Because the vulnerability affects access control, it could lead to unauthorized changes, data exposure, or other malicious activities on affected websites.
The vulnerability has potential for exploitation in mass-attack campaigns targeting numerous websites regardless of their traffic or popularity.
No official patch is currently available, but mitigation rules exist to block exploitation attempts until a patch is released.
What immediate steps should I take to mitigate this vulnerability?
Since no official patch is currently available for this vulnerability, immediate mitigation involves applying the mitigation rule released by Patchstack to block exploitation attempts.
Users are advised to update the plugin immediately once an official patch is released.
Alternatively, seek assistance from your hosting provider or web developer to implement mitigation measures until the patch is available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Broken Access Control issue that allows unprivileged users to perform actions reserved for higher-privileged roles. Such unauthorized access can lead to potential data breaches or unauthorized data manipulation.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that allow unauthorized access can compromise the confidentiality, integrity, and availability of data, which are core principles in these regulations.
Therefore, exploitation of this vulnerability could potentially lead to non-compliance with regulations requiring strict access controls and protection of sensitive data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific information provided about commands or methods to detect this vulnerability on your network or system.