The Thim Elementor Kit plugin contains an IDOR flaw in its request handling that allows attackers to manipulate user‑controlled keys and bypass authorization checks. This weakness, classified as CWE‑639, enables unauthorized access to restricted content or functionality belonging to other users, compromising confidentiality and integrity of site data. The vulnerability can be leveraged by supplying an alternate object identifier to gain view or edit privileges that should be restricted.

ThimPress Thim Elementor Kit versions up to and including 1.3.3 are vulnerable. Any WordPress installation deploying the plugin in these versions without the critical patch is at risk. The vulnerability has no defined minimum affected release, so all releases of the plugin with a version number less than or equal to 1.3.3 are impacted.

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at this time. The vulnerability is not listed in CISA KEV, implying no known large‑scale exploitation. Exploitation requires the attacker to be authenticated or to craft HTTP requests to the plugin’s endpoints; once authorized, rearranging the user‑controlled key to reference other protected objects achieves unauthorized data exposure. Because the flaw hinges on insufficient access control rather than a privilege escalation or code execution vector, the overall risk to the system is limited to data confidentiality loss unless accessed data can lead to further compromise.