CVE-2025-24618
Published: 24 January 2025
Summary
CVE-2025-24618 is a medium-severity Missing Authorization (CWE-862) vulnerability in Elementinvader Elementinvader Addons For Elementor. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-24618 is a missing authorization vulnerability, tied to CWE-862 (Missing Authorization), in the ElementInvader Addons for Elementor WordPress plugin (elementinvader-addons-for-elementor). The flaw enables exploitation of incorrectly configured access control security levels and affects all versions from n/a through 1.3.1. Published on 2025-01-24, it carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), indicating network accessibility with low attack complexity.
Low-privileged remote users (PR:L) can exploit this vulnerability without user interaction over the network. Exploitation leads to low-impact integrity violations (I:L), such as unauthorized modifications, while preserving confidentiality and availability.
Patchstack documents this as a broken access control vulnerability in plugin version 1.3.1, with details available in their database advisory at https://patchstack.com/database/Wordpress/Plugin/elementinvader-addons-for-elementor/vulnerability/wordpress-elementinvader-addons-for-elementor-plugin-1-3-1-broken-access-control-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3822
Vulnerability details
Missing Authorization vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ElementInvader Addons for Elementor: from n/a through <= 1.3.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a missing authorization vulnerability in a public-facing WordPress plugin, directly enabling remote exploitation of the application by low-privileged authenticated users over the network.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources, directly addressing the missing authorization checks exploited in this plugin vulnerability.
Applies least privilege to limit low-privileged users' access, mitigating the impact of authorization bypasses leading to unauthorized modifications.
Requires identification, reporting, and remediation of flaws like this CVE through timely patching of the vulnerable plugin.