Description
Missing Authorization vulnerability in merkulove Huger for Elementor huger-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Huger for Elementor: from n/a through <= 1.1.5.
Published: 2025-12-16
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the Huger for Elementor plugin by merkulove, allowing an attacker to bypass configured access controls and gain unauthorized actions within a WordPress site. Because the plugin does not perform proper checks, attackers could potentially create, edit, or delete content or settings intended for restricted users, resulting in moderate confidentiality and integrity damage.

Affected Systems

Affected systems are sites running the Huger for Elementor plugin from merkulove, specifically all versions from the earliest release through 1.1.5. WordPress sites that rely on this plugin within that version range are impacted, with no other vendors or product variants listed.

Risk and Exploitability

The CVSS score of 5.4 places the vulnerability in the medium range, and the EPSS score of less than 1% indicates a low probability of exploitation at this time. While the issue is not listed in the CISA KEV catalog, it remains a concern for any site that uses the affected plugin. The likely attack vector is remote, through the WordPress admin area or REST API where the plugin’s functionality is exposed, allowing an attacker to elevate privileges over the plugin’s features and compromise broader site security.

Generated by OpenCVE AI on April 29, 2026 at 11:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Huger for Elementor plugin to version 1.1.6 or later, which removes the missing authorization checks.
  • After upgrading, review and enforce proper user role permissions within Elementor and WordPress so that only trusted users can manage content through the plugin.
  • If the plugin is not needed, disable or deactivate it to eliminate the risk.

Generated by OpenCVE AI on April 29, 2026 at 11:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Merkulove
Merkulove huger For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Merkulove
Merkulove huger For Elementor
Wordpress
Wordpress wordpress

Tue, 16 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in merkulove Huger for Elementor huger-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Huger for Elementor: from n/a through <= 1.1.5.
Title WordPress Huger for Elementor plugin <= 1.1.5 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Merkulove Huger For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:59:26.677Z

Reserved: 2025-12-15T10:01:29.283Z

Link: CVE-2025-68088

cve-icon Vulnrichment

Updated: 2025-12-16T15:47:56.320Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:16:04.040

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68088

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:15:09Z

Weaknesses