The vulnerability is a missing authorization flaw in the Codexpert, Inc Restrict Elementor Widgets, Columns and Sections plugin that allows an attacker to bypass normal access checks and alter the plugin’s configuration. This can lead to unauthorized changes to which Elementor widgets, columns, or sections are permitted, potentially compromising the site’s layout and functionality without an attacker gaining full control of the underlying WordPress installation.

WordPress sites that use the Codexpert, Inc Restrict Elementor Widgets, Columns and Sections plugin with a version number of 1.12 or earlier, including all releases above the initial release (no lower bound specified) through <= 1.12. Site administrators who have deployed any of these builds are at risk.

The CVSS score of 4.3 indicates a moderate severity. The EPSS score of < 1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely through the plugin’s administrative interface or associated REST endpoints, where the lack of proper authorization checks would allow an authenticated or potentially even unauthenticated user to modify the plugin’s settings. Exploitation would require only the ability to reach the affected web application, with no need for code execution.