{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8488", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-01T20:36:48.454Z", "datePublished": "2025-08-02T09:23:31.864Z", "dateUpdated": "2026-04-08T17:13:07.895Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:07.895Z"}, "affected": [{"vendor": "brainstormforce", "product": "Ultimate Addons for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.4.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_hfe_compatibility_option_callback ()function in all versions up to, and including, 2.4.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the compatibility option setting."}], "title": "Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) <= 2.4.6 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4b847b5-9deb-41c4-b976-725249e0098e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/header-footer-elementor/tags/2.4.6/admin/class-hfe-addons-actions.php#L494"}, {"url": "https://plugins.trac.wordpress.org/browser/header-footer-elementor/tags/2.4.7/admin/class-hfe-addons-actions.php#L525"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-08-01T21:05:43.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-01T20:50:41.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-04T13:27:43.266566Z", "id": "CVE-2025-8488", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-04T13:27:52.880Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8488", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-04T13:27:43.266566Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-04T13:27:47.631Z"}}], "cna": {"title": "Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) <= 2.4.6 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "brainstormforce", "product": "Ultimate Addons for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.4.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-01T21:05:43.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-01T20:50:41.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4b847b5-9deb-41c4-b976-725249e0098e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/header-footer-elementor/tags/2.4.6/admin/class-hfe-addons-actions.php#L494"}, {"url": "https://plugins.trac.wordpress.org/browser/header-footer-elementor/tags/2.4.7/admin/class-hfe-addons-actions.php#L525"}], "descriptions": [{"lang": "en", "value": "The Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_hfe_compatibility_option_callback ()function in all versions up to, and including, 2.4.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the compatibility option setting."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:07.895Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8488", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:13:07.895Z", "dateReserved": "2025-08-01T20:36:48.454Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-02T09:23:31.864Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_hfe_compatibility_option_callback ()function in all versions up to, and including, 2.4.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the compatibility option setting."}, {"lang": "es", "value": "El complemento Ultimate Addons for Elementor (Formerly Elementor Header &amp; Footer Builder) para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n save_hfe_compatibility_option_callback() en todas las versiones hasta la 2.4.6 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, actualicen la configuraci\u00f3n de compatibilidad."}], "id": "CVE-2025-8488", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-02T10:15:27.477", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/header-footer-elementor/tags/2.4.6/admin/class-hfe-addons-actions.php#L494"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/header-footer-elementor/tags/2.4.7/admin/class-hfe-addons-actions.php#L525"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4b847b5-9deb-41c4-b976-725249e0098e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:42:39.728850+00:00", "value": {"mitigation_remediation": ["Upgrade Ultimate Addons for Elementor to version 2.4.7 or later to apply the missing capability check.", "If an upgrade cannot be performed immediately, limit the Subscriber role by removing any capabilities that allow editing of HFE plugin options or revoke the 'manage_options' capability for that role.", "Re\u2011evaluate the necessity of the compatibility setting and disable or remove it if it is not required for site operation."], "summary": {"action": "Immediate Update", "impact": "Unauthorized modification of plugin settings by authenticated users"}, "threat_synthesis": {"affected_systems": "WordPress installations running the Ultimate Addons for Elementor (formerly Elementor Header & Footer Builder) plugin version 2.4.6 or older. The vulnerability applies to all supported installation paths for these versions.", "description_and_impact": "The plugin contains a missing capability check in the function that saves its compatibility setting. This flaw allows any logged\u2011in user with Subscriber or higher access to change the plugin\u2019s compatibility option. The change does not grant direct code execution or full administrative rights, but it permits unauthorised configuration changes that could alter site appearance or functionality and serve as a foothold for further compromise.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation today. The flaw is not listed in the CISA KEV catalog. Attackers would need to authenticate to the WordPress site with at least Subscriber role; the vulnerability is accessed through the normal admin interface, after which the unauthorized update can be performed without additional conditions."}}}}, "created": "2025-08-05T11:38:59.847200+00:00", "updated": "2026-04-21T03:45:27.385927+00:00", "vendors": ["brainstormforce", "brainstormforce$PRODUCT$ultimate_addons_for_elementor", "elementor", "elementor$PRODUCT$elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}