A missing authorization flaw in the Comparimager for Elementor plugin allows attackers to bypass intended access restrictions and perform unintended actions within the plugin’s scope. Because the vulnerability is related to incorrect configuration of access control security levels, compromised users may gain the ability to manipulate comparison data or inject content without proper permissions. The weakness maps to CWE-862 and can potentially impact confidentiality and integrity of content managed through the plugin.

The vulnerability affects the WordPress Comparimager for Elementor plugin released by merkulove, specifically all versions from the first available release through 1.0.1. Users running any of these versions are exposed to the exploitation risk unless mitigated.

The CVSS score of 5.4 indicates medium severity, while the EPSS score of less than 1% points to a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves interacting with the plugin’s web interface, where an attacker—either authenticated with limited privileges or potentially unauthenticated, depending on site configuration—could exploit the missing authorization check to undertake privileged plugin operations.