Description
Missing Authorization vulnerability in merkulove Buttoner for Elementor buttoner-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Buttoner for Elementor: from n/a through <= 1.0.6.
Published: 2025-12-16
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a missing authorization issue that allows attackers to exploit incorrectly configured access control settings, leading to unauthorized changes in the Buttoner for Elementor plugin configuration. The weak protection permits users to modify plugin options without proper privilege checks, potentially altering site behavior or creating security weaknesses. The associated weakness is identified as CWE-862, which represents an inadequate authorization mechanism.

Affected Systems

Affected product: Buttoner for Elementor by merkulove. Any installation of this plugin versions n/a through 1.0.6 is vulnerable. Users running WordPress sites with the plugin listed here are exposed.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation observed so far. The vulnerability is not listed in the CISA KEV catalog. Because the flaw is a missing authorization, the most likely attack vector is through the plugin’s administrative interface using a user account that has any level of access—whether normal or low‑privilege. An attacker can manually adjust settings or potentially redirect plugin behavior, depending on the functions exposed by the plugin.

Generated by OpenCVE AI on April 29, 2026 at 11:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Buttoner for Elementor to version 1.0.7 or later, which contains the authorization fix.
  • If an upgrade is not immediately possible, restrict access to the plugin’s settings page to the WordPress administrator role only, preventing lower‑privileged users from modifying configuration.
  • Review and adjust the site’s role and capability settings to ensure that only trusted users can modify plugin options and monitor the site for any unauthorized changes.

Generated by OpenCVE AI on April 29, 2026 at 11:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Merkulove
Merkulove buttoner For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Merkulove
Merkulove buttoner For Elementor
Wordpress
Wordpress wordpress

Tue, 16 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in merkulove Buttoner for Elementor buttoner-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Buttoner for Elementor: from n/a through <= 1.0.6.
Title WordPress Buttoner for Elementor plugin <= 1.0.6 - Settings Change vulnerability
Weaknesses CWE-862
References

Subscriptions

Merkulove Buttoner For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:58:58.123Z

Reserved: 2025-12-15T10:01:29.283Z

Link: CVE-2025-68085

cve-icon Vulnrichment

Updated: 2025-12-16T15:04:46.799Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:16:03.637

Modified: 2026-04-24T20:16:24.807

Link: CVE-2025-68085

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:15:09Z

Weaknesses