The vulnerability is a missing authorization flaw in POSIMYTH Innovation’s The Plus Addons for Elementor Pro that allows exploitation of incorrectly configured access control security levels. The flaw can enable an attacker to gain access to privileged settings or features that should be restricted, potentially allowing unauthorized content changes or other privileged operations. It is classified as CWE‑862 – Broken Access Control. The impact is limited to elevating privileges within the plugin’s scope rather than full system compromise.

WordPress sites that have the POSIMYTH Innovation plugin The Plus Addons for Elementor Pro installed, with any version earlier than 6.3.7. All earlier releases, including v6.3.6 and older, are affected.

The CVSS score of 5.4 indicates moderate severity. The EPSS score is below 1%, reflecting a very low exploitation probability at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is via the WordPress administrative interface, where an attacker with access to a user role that can interact with the plugin’s settings may exploit the broken authorization. Successful exploitation would require the plugin to be active and the attacker to possess at least some authenticated access to the site’s backend. No remote code execution or information disclosure is reported; the compromise is confined to privilege escalation within the plugin’s functionality.