The vulnerability is a missing authorization flaw that allows an attacker to exploit incorrect access control settings in the Sticky Header Effects for Elementor plugin. Because the plugin fails to check user permissions before performing privileged actions, a user with minimal or no privileges can manipulate plugin settings or perform actions intended for administrators. This can lead to unauthorized configuration changes, potential exposure of sensitive content, or a stepping stone for further attacks against the WordPress site. The weakness is classified as CWE‑862 Broken Access Control.

The affected product is the POSIMYTH Sticky Header Effects for Elementor WordPress plugin, versions up through 2.1.2. Any WordPress installation that has this plugin installed will be vulnerable unless the plugin is updated beyond 2.1.2.

The CVSS score of 4.3 indicates a moderate severity. The EPSS score of less than 1% signifies that the likelihood of exploitation is very low at present, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the attack can be carried out by an authenticated user who can access the plugin’s administrative interface; the exact vector is not explicitly described, so it is inferred that the attacker needs at least limited privileges within the WordPress site. The overall risk remains moderate, but address it promptly to mitigate possible future exploitation.