Description
The Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_hfe_compatibility_option_callback ()function in all versions up to, and including, 2.4.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the compatibility option setting.
Published: 2025-08-02
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of plugin settings by authenticated users
Action: Immediate Update
AI Analysis

Impact

The plugin contains a missing capability check in the function that saves its compatibility setting. This flaw allows any logged‑in user with Subscriber or higher access to change the plugin’s compatibility option. The change does not grant direct code execution or full administrative rights, but it permits unauthorised configuration changes that could alter site appearance or functionality and serve as a foothold for further compromise.

Affected Systems

WordPress installations running the Ultimate Addons for Elementor (formerly Elementor Header & Footer Builder) plugin version 2.4.6 or older. The vulnerability applies to all supported installation paths for these versions.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation today. The flaw is not listed in the CISA KEV catalog. Attackers would need to authenticate to the WordPress site with at least Subscriber role; the vulnerability is accessed through the normal admin interface, after which the unauthorized update can be performed without additional conditions.

Generated by OpenCVE AI on April 21, 2026 at 03:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ultimate Addons for Elementor to version 2.4.7 or later to apply the missing capability check.
  • If an upgrade cannot be performed immediately, limit the Subscriber role by removing any capabilities that allow editing of HFE plugin options or revoke the 'manage_options' capability for that role.
  • Re‑evaluate the necessity of the compatibility setting and disable or remove it if it is not required for site operation.

Generated by OpenCVE AI on April 21, 2026 at 03:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23431 The Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_hfe_compatibility_option_callback ()function in all versions up to, and including, 2.4.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the compatibility option setting.
History

Tue, 05 Aug 2025 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Brainstormforce
Brainstormforce ultimate Addons For Elementor
Elementor
Elementor elementor
Wordpress
Wordpress wordpress
Vendors & Products Brainstormforce
Brainstormforce ultimate Addons For Elementor
Elementor
Elementor elementor
Wordpress
Wordpress wordpress

Mon, 04 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 02 Aug 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_hfe_compatibility_option_callback ()function in all versions up to, and including, 2.4.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the compatibility option setting.
Title Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) <= 2.4.6 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Brainstormforce Ultimate Addons For Elementor
Elementor Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:13:07.895Z

Reserved: 2025-08-01T20:36:48.454Z

Link: CVE-2025-8488

cve-icon Vulnrichment

Updated: 2025-08-04T13:27:47.631Z

cve-icon NVD

Status : Deferred

Published: 2025-08-02T10:15:27.477

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8488

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:45:27Z

Weaknesses