The vulnerability is a missing authorization flaw in Elementor's Website Builder plugin, allowing attackers to exploit incorrectly configured access control levels. This flaw provides unauthorized access to functions that should be protected, potentially enabling the creation, editing, or deletion of content without proper permission.

WordPress sites that employ the Elementor Website Builder plugin up to and including version 3.33.0 are affected. All users who interact with the plugin via the web interface are potentially vulnerable, as the issue applies regardless of the user’s role.

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the current environment. The vulnerability is not listed in the CISA KEV catalog. Although the description does not detail the exact attack vector, the likely exploitation path involves a web request to the plugin’s exposed endpoints, implying that any site visitor could potentially trigger the unauthorized actions. Prompt patching is recommended to mitigate this risk.