{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69300", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:11:57.533Z", "datePublished": "2026-01-22T16:52:31.523Z", "dateUpdated": "2026-04-28T16:14:37.046Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "premium-addons-for-elementor", "product": "Premium Addons for Elementor", "vendor": "Leap13", "versions": [{"changes": [{"at": "4.11.64", "status": "unaffected"}], "lessThanOrEqual": "4.11.63", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:07.282Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Premium Addons for Elementor: from n/a through <= 4.11.63.</p>"}], "value": "Missing Authorization vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Premium Addons for Elementor: from n/a through <= 4.11.63."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:37.046Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/premium-addons-for-elementor/vulnerability/wordpress-premium-addons-for-elementor-plugin-4-11-63-settings-change-vulnerability?_s_id=cve"}], "title": "WordPress Premium Addons for Elementor plugin <= 4.11.63 - Settings Change vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T17:59:40.559702Z", "id": "CVE-2025-69300", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T19:49:55.043Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-69300", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T17:59:40.559702Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T17:59:34.333Z"}}], "cna": {"title": "WordPress Premium Addons for Elementor plugin <= 4.11.63 - Settings Change vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Leap13", "product": "Premium Addons for Elementor", "versions": [{"status": "affected", "changes": [{"at": "4.11.64", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "4.11.63"}], "packageName": "premium-addons-for-elementor", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:07.282Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/premium-addons-for-elementor/vulnerability/wordpress-premium-addons-for-elementor-plugin-4-11-63-settings-change-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Premium Addons for Elementor: from n/a through <= 4.11.63.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Premium Addons for Elementor: from n/a through <= 4.11.63.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:00.288Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69300", "state": "PUBLISHED", "dateUpdated": "2026-04-27T19:49:55.043Z", "dateReserved": "2025-12-31T20:11:57.533Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:31.523Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Premium Addons for Elementor: from n/a through <= 4.11.63."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Leap13 Premium Addons para Elementor premium-addons-for-elementor permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Premium Addons para Elementor: desde n/a hasta &lt;= 4.11.63."}], "id": "CVE-2025-69300", "lastModified": "2026-04-27T21:16:23.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:26.597", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/premium-addons-for-elementor/vulnerability/wordpress-premium-addons-for-elementor-plugin-4-11-63-settings-change-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T21:13:50.945559+00:00", "value": {"mitigation_remediation": ["Upgrade Premium Addons for Elementor to the latest version that removes the authorization flaw.", "If an upgrade cannot be performed immediately, disable or remove the plugin from the site.", "Restrict access to the WordPress admin area and the plugin\u2019s settings page to trusted administrators only, ensuring the security role has appropriate permissions."], "summary": {"action": "Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The affected product is Leap13 Premium Addons for Elementor for WordPress, version 4.11.63 and earlier. Any WordPress installation that has the plugin of these versions or older installed is potentially vulnerable.", "description_and_impact": "The vulnerability is a missing authorization flaw in Leap13 Premium Addons for Elementor that lets an attacker alter plugin settings without proper permission. The flaw is an incorrect access control configuration that can be exploited to gain unauthorized modification rights, potentially allowing broader compromise of the site. The weakness falls under CWE\u2011862, indicating an authorization error.", "risk_and_exploitability": "The CVSS base score is 5.4, reflecting moderate impact. The EPSS score is below 1\u202f%, suggesting an extremely low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to reach the plugin\u2019s settings endpoint, which they could reach from any authenticated WordPress user, or potentially from unauthenticated sessions if the plugin exposes the endpoint. The missing authorization means that once the endpoint is identified, an attacker can change settings without further privileges."}}}}, "created": "2026-01-23T16:28:04.959219+00:00", "updated": "2026-04-27T21:15:05.551013+00:00", "vendors": ["leap13", "leap13$PRODUCT$premium_addons_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}