CVE-2025-24618
Published: 24 January 2025
Summary
CVE-2025-24618 is a medium-severity Missing Authorization (CWE-862) vulnerability in Elementinvader Elementinvader Addons For Elementor. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly addressing the missing authorization checks exploited in this plugin vulnerability.
Applies least privilege to limit low-privileged users' access, mitigating the impact of authorization bypasses leading to unauthorized modifications.
Requires identification, reporting, and remediation of flaws like this CVE through timely patching of the vulnerable plugin.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a missing authorization vulnerability in a public-facing WordPress plugin, directly enabling remote exploitation of the application by low-privileged authenticated users over the network.
NVD Description
Missing Authorization vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ElementInvader Addons for Elementor: from n/a through <= 1.3.1.
Deeper analysisAI
CVE-2025-24618 is a missing authorization vulnerability, tied to CWE-862 (Missing Authorization), in the ElementInvader Addons for Elementor WordPress plugin (elementinvader-addons-for-elementor). The flaw enables exploitation of incorrectly configured access control security levels and affects all versions from n/a through 1.3.1. Published on 2025-01-24, it carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), indicating network accessibility with low attack complexity.
Low-privileged remote users (PR:L) can exploit this vulnerability without user interaction over the network. Exploitation leads to low-impact integrity violations (I:L), such as unauthorized modifications, while preserving confidentiality and availability.
Patchstack documents this as a broken access control vulnerability in plugin version 1.3.1, with details available in their database advisory at https://patchstack.com/database/Wordpress/Plugin/elementinvader-addons-for-elementor/vulnerability/wordpress-elementinvader-addons-for-elementor-plugin-1-3-1-broken-access-control-vulnerability?_s_id=cve.
Details
- CWE(s)