CVE-2026-25398
Received Received - Intake
Missing Authorization in Vertex Addons for Elementor

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Missing Authorization vulnerability in Webilia Inc. Vertex Addons for Elementor addons-for-elementor-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Vertex Addons for Elementor: from n/a through <= 1.6.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25398
EUVD
EUVD-2026-15711
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
webilia_inc vertex_addons_for_elementor to 1.6.4 (inc)
webilia_inc vertex_addons_for_elementor From 1.0.0 (inc) to 1.6.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability is a Broken Access Control issue that allows unprivileged users to perform actions reserved for higher-privileged roles. Such unauthorized access can lead to potential data breaches or unauthorized data manipulation.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that allow unauthorized access can compromise the confidentiality, integrity, and availability of data, which are core principles in these regulations.

Therefore, exploitation of this vulnerability could potentially lead to non-compliance with regulations requiring strict access controls and protection of sensitive data.

Executive Summary

CVE-2026-25398 is a medium priority Broken Access Control vulnerability in the WordPress plugin "Vertex Addons for Elementor" versions up to and including 1.6.4.

The vulnerability arises from missing authorization, authentication, or nonce token checks in certain plugin functions, which allows unprivileged users to perform actions that should be restricted to higher-privileged roles.

This issue is classified under OWASP Top 10 A1: Broken Access Control and has a CVSS severity score of 6.5, indicating a moderate risk.

Impact Analysis

This vulnerability can allow attackers with low privileges to perform actions reserved for higher-privileged users, potentially compromising the security and integrity of your WordPress site.

Because the vulnerability affects access control, it could lead to unauthorized changes, data exposure, or other malicious activities on affected websites.

The vulnerability has potential for exploitation in mass-attack campaigns targeting numerous websites regardless of their traffic or popularity.

No official patch is currently available, but mitigation rules exist to block exploitation attempts until a patch is released.

Mitigation Strategies

Since no official patch is currently available for this vulnerability, immediate mitigation involves applying the mitigation rule released by Patchstack to block exploitation attempts.

Users are advised to update the plugin immediately once an official patch is released.

Alternatively, seek assistance from your hosting provider or web developer to implement mitigation measures until the patch is available.

Detection Guidance

There is no specific information provided about commands or methods to detect this vulnerability on your network or system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25398. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart