CVE-2025-67998
Published: 20 February 2026
Summary
CVE-2025-67998 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the authentication bypass vulnerability by requiring timely identification, reporting, and correction of flaws in the Miraculous Elementor plugin.
Enforces approved authorizations for logical access, preventing exploitation of alternate paths or channels that bypass authentication in the plugin.
Requires unique identification and authentication of users, countering authentication abuse and bypass via alternate paths in the WordPress plugin.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass (CWE-288) in public-facing WordPress plugin directly enables remote exploitation (T1190) by low-priv authenticated users to achieve privilege escalation (T1068) with full CIA impact.
NVD Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in kamleshyadav Miraculous Elementor miraculous-el allows Authentication Abuse.This issue affects Miraculous Elementor: from n/a through <= 2.0.7.
Deeper analysisAI
CVE-2025-67998 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) in the Miraculous Elementor WordPress plugin (miraculous-el), developed by kamleshyadav. This issue allows authentication abuse and affects the plugin from unknown initial versions through 2.0.7. The vulnerability was published on 2026-02-20T16:22:06.200 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with low privileges (PR:L), such as an authenticated low-level WordPress user, can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables authentication bypass via an alternate path or channel, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged security scope (S:U).
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/miraculous-el/vulnerability/wordpress-miraculous-elementor-plugin-2-0-7-broken-authentication-vulnerability?_s_id=cve, which covers the broken authentication vulnerability in version 2.0.7. Security practitioners should consult this reference for patch information or workarounds.
Details
- CWE(s)