The vulnerability arises from a missing authorization check in POSIMYTH Innovation’s The Plus Addons for Elementor Pro plugin, allowing attackers to bypass intended access controls and exploit incorrectly configured security levels. This broken access control, identified as CWE‑862, can result in unauthorized viewing, modification, or deletion of content and plugin settings, compromising the confidentiality, integrity, and availability of the WordPress site.

WordPress sites running POSIMYTH Innovation’s The Plus Addons for Elementor Pro plugin in any version prior to 6.3.7 are susceptible to this flaw. The issue is present from the plugin’s initial release through any build lower than 6.3.7.

The CVSS score of 6.5 indicates a moderate severity for this issue. The EPSS score of less than 1% suggests a very low likelihood of exploitation at the time of this analysis, and the vulnerability is not listed in the CISA KEV catalog. Based on the plugin’s web‑based nature, the likely attack vector is remote exploitation via HTTP requests to the affected WordPress installation. No public exploits have been reported, but an attacker could submit crafted requests to the plugin’s endpoints to gain elevated access if the web server allows unauthenticated access.