Description
Missing Authorization vulnerability in AbsolutePlugins Absolute Addons For Elementor absolute-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Absolute Addons For Elementor: from n/a through <= 1.0.14.
Published: 2026-01-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch
AI Analysis

Impact

Absolute Addons For Elementor, a WordPress plugin, contains a missing authorization flaw that permits users to perform actions beyond their intended permissions. By exploiting incorrectly configured access control settings, an attacker can elevate privileges within the plugin, potentially accessing or modifying restricted content and configuration. This vulnerability falls under CWE‑862, indicating an absence of proper authorization checks.

Affected Systems

The vulnerability affects any WordPress installation that has AbsolutePlugins Absolute Addons For Elementor installed in version 1.0.14 or earlier. Versions 1.0.15 and later contain the fix. No other vendors or product lines are affected by this issue.

Risk and Exploitability

The CVSS v3 base score of 4.3 classifies the flaw as moderate severity, while an EPSS estimate below 1 percent indicates a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. It is inferred that an attacker would reach the flaw through the WordPress site’s web interface, needing only authenticated access to the plugin’s administration functions. The broken access controls allow actions that exceed normal privileges, thereby causing unauthorized access.

Generated by OpenCVE AI on April 18, 2026 at 03:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Absolute Addons For Elementor plugin to version 1.0.15 or later to address the missing authorization flaw.
  • If a plugin update cannot be applied immediately, deactivate or uninstall the plugin from the WordPress installation to close the exposed attack path.
  • Review and restrict WordPress administrative roles, ensuring only trusted users can install or configure plugins, thus reducing the likelihood of unauthorized privilege escalation.

Generated by OpenCVE AI on April 18, 2026 at 03:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 23 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Abosoluteplugins
Abosoluteplugins absolute Addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Abosoluteplugins
Abosoluteplugins absolute Addons For Elementor
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in AbsolutePlugins Absolute Addons For Elementor absolute-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Absolute Addons For Elementor: from n/a through <= 1.0.14.
Title WordPress Absolute Addons For Elementor plugin <= 1.0.14 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Abosoluteplugins Absolute Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:57.823Z

Reserved: 2026-01-07T13:44:06.688Z

Link: CVE-2026-22468

cve-icon Vulnrichment

Updated: 2026-01-23T20:05:39.156Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:35.523

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22468

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:45:21Z

Weaknesses