This vulnerability arises from a missing authorization check in the Headinger for Elementor plugin that allows improperly configured access control security levels to be exploited. An attacker who gains access to the plugin can potentially change front‑end heading styles or override default settings that were intended to be restricted, leading to a breach of the principle of least privilege. The weakness is classified as CWE‑862 and presents a risk of unauthorized actions rather than direct code execution or denial of service.

The issue affects the WordPress Headinger for Elementor plugin from installation through version 1.1.4, all of which lack the necessary authorization guard. Users relying on any of these versions should verify the installed version before applying remediation.

The CVSS score of 5.4 indicates a moderate severity level. With an EPSS score of less than 1%, the likelihood of exploitation is low in the current environment, and the vulnerability is not listed in the CISA KEV database. The attack vector is inferred to be through authenticated users with misconfigured roles; an attacker would need to leverage broken role checks within the plugin to elevate privileges to modify settings.