This vulnerability is a missing authorization flaw (CWE-862) that allows attackers to exploit improperly configured access control levels within the News Kit Elementor Addons plugin. An attacker who can interact with the plugin’s administrative interfaces could gain unauthorized privileges, potentially reading, modifying, or deleting content and settings. The weakness stems from a failure to enforce role-based protection, making confidentiality and integrity of site data at risk for any user who can reach the plugin endpoints.

The flaw affects the WordPress plugin News Kit Elementor Addons by blazethemes, versions from the earliest release through 1.4.2. Users running the plugin on WordPress sites must verify their installation version. No later versions are known to be impacted.

The CVSS vector scores the vulnerability at 4.3, indicating moderate risk, while the EPSS score of less than 1% suggests a very low probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely remote, achievable by any authenticated or unauthenticated user who can access plugin administrative pages. Exploitation requires no special hardware or privileged network access, but it does rely on the presence of an accessible WordPress instance with the affected plugin installed.