The Masterstudy Elementor Widgets plugin contains a missing authorization flaw that allows an attacker to access functionality that should be restricted to privileged users. This broken access control, classified as CWE-862, enables the elevation of privileges within the WordPress site, potentially permitting the attacker to manipulate widget settings or other sensitive plugin features. The result is a breach of confidentiality and integrity of the site’s configuration and user data.

StylemixThemes: Masterstudy Elementor Widgets installed on any WordPress installation with a plugin version through and including 1.2.4 is affected. The vulnerability applies to all earlier releases as well.

The CVSS score of 5.3 indicates a medium severity level, while the EPSS score of less than 1% reflects a very low likelihood of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves a user with limited privileges sending crafted requests to the plugin’s administrative endpoints, or at the very least, a guest user attempting to access exposed functionality. Exploitation would require local role or capability manipulation within WordPress, and no public exploit has been reported.