Description
Missing Authorization vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Premium Addons for Elementor: from n/a through <= 4.11.63.
Published: 2026-01-22
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch
AI Analysis

Impact

The vulnerability is a missing authorization flaw in Leap13 Premium Addons for Elementor that lets an attacker alter plugin settings without proper permission. The flaw is an incorrect access control configuration that can be exploited to gain unauthorized modification rights, potentially allowing broader compromise of the site. The weakness falls under CWE‑862, indicating an authorization error.

Affected Systems

The affected product is Leap13 Premium Addons for Elementor for WordPress, version 4.11.63 and earlier. Any WordPress installation that has the plugin of these versions or older installed is potentially vulnerable.

Risk and Exploitability

The CVSS base score is 5.4, reflecting moderate impact. The EPSS score is below 1 %, suggesting an extremely low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to reach the plugin’s settings endpoint, which they could reach from any authenticated WordPress user, or potentially from unauthenticated sessions if the plugin exposes the endpoint. The missing authorization means that once the endpoint is identified, an attacker can change settings without further privileges.

Generated by OpenCVE AI on April 27, 2026 at 21:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Premium Addons for Elementor to the latest version that removes the authorization flaw.
  • If an upgrade cannot be performed immediately, disable or remove the plugin from the site.
  • Restrict access to the WordPress admin area and the plugin’s settings page to trusted administrators only, ensuring the security role has appropriate permissions.

Generated by OpenCVE AI on April 27, 2026 at 21:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Tue, 27 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Leap13
Leap13 premium Addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Leap13
Leap13 premium Addons For Elementor
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Premium Addons for Elementor: from n/a through <= 4.11.63.
Title WordPress Premium Addons for Elementor plugin <= 4.11.63 - Settings Change vulnerability
Weaknesses CWE-862
References

Subscriptions

Leap13 Premium Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:37.046Z

Reserved: 2025-12-31T20:11:57.533Z

Link: CVE-2025-69300

cve-icon Vulnrichment

Updated: 2026-01-27T17:59:34.333Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:26.597

Modified: 2026-04-27T21:16:23.590

Link: CVE-2025-69300

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T21:15:05Z

Weaknesses