This vulnerability is a missing authorization flaw that allows attackers to bypass the plugin’s access control mechanisms and gain unrestricted access to its administrative functions. The flaw arises from incorrectly configured security levels within the ElementInvader Addons for Elementor, enabling any user to perform actions intended for privileged administrators. The resulting impact includes potential theft or modification of site content and configuration, thereby compromising confidentiality, integrity, and availability of the WordPress installation. The weakness is identified as CWE‑862, which categorizes it as a broken access control issue.

Element Invader – ElementInvader Addons for Elementor, affecting all installations of the plugin version 1.4.1 and earlier. No specific WordPress core versions are mentioned, but the plugin is applicable to any WordPress site that has installed the vulnerable add‑ons.

The CVSS score of 5.4 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The CVE is not listed in the CISA KEV catalog, further indicating low exploitation activity. The attack vector is inferred to be a web‑based exploit, likely through plugin‑provided endpoints or administrative interfaces that lack proper capability checks. An attacker only needs to reach the affected WordPress instance and could exploit the weakness without prior authentication, depending on the implementation of the plugin’s permission checks.