The vulnerability is a missing authorization flaw that allows an attacker to interact with endpoints and functions protected by access control. An attacker who can reach these points can read or modify content and perform administrative actions beyond their intended user level. The flaw maps to CWE‑862. The impact is a moderate elevation of privilege that could compromise the integrity and confidentiality of documents created by the plugin.

Affected product: ADD‑ONS.ORG PDF for Elementor Forms + Drag And Drop Template Builder. Versions from the earliest available release up to and including 5.5.1 are impacted; the fix is delivered in version 5.6.1.

The CVSS score of 5.0 indicates a moderate impact and the EPSS score is not available, so the likelihood of exploitation is currently unknown. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is via web requests to privileged plugin endpoints, and the exploitation requires the attacker to have at least a valid authenticated session; it can also potentially be exploited by unauthenticated users if the plugin does not guard those endpoints properly. The resulting compromise would allow access to protected documents or administrative functions that should be restricted to higher‑privileged users.