{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25398", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:12.987Z", "datePublished": "2026-03-25T16:14:48.027Z", "dateUpdated": "2026-04-28T16:14:57.603Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "addons-for-elementor-builder", "product": "Vertex Addons for Elementor", "vendor": "Webilia Inc.", "versions": [{"changes": [{"at": "1.7.0", "status": "unaffected"}], "lessThanOrEqual": "1.6.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "theviper17 | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:18.760Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Webilia Inc. Vertex Addons for Elementor addons-for-elementor-builder allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Vertex Addons for Elementor: from n/a through <= 1.6.4.</p>"}], "value": "Missing Authorization vulnerability in Webilia Inc. Vertex Addons for Elementor addons-for-elementor-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Vertex Addons for Elementor: from n/a through <= 1.6.4."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:57.603Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/addons-for-elementor-builder/vulnerability/wordpress-vertex-addons-for-elementor-plugin-1-6-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Vertex Addons for Elementor plugin <= 1.6.4 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T16:44:11.942359Z", "id": "CVE-2026-25398", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:39:36.969Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25398", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:44:11.942359Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:32:08.384Z"}}], "cna": {"title": "WordPress Vertex Addons for Elementor plugin <= 1.6.4 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "theviper17 | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Webilia Inc.", "product": "Vertex Addons for Elementor", "versions": [{"status": "affected", "changes": [{"at": "1.7.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.6.4"}], "packageName": "addons-for-elementor-builder", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:18.760Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/addons-for-elementor-builder/vulnerability/wordpress-vertex-addons-for-elementor-plugin-1-6-2-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Webilia Inc. Vertex Addons for Elementor addons-for-elementor-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Vertex Addons for Elementor: from n/a through <= 1.6.4.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Webilia Inc. Vertex Addons for Elementor addons-for-elementor-builder allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Vertex Addons for Elementor: from n/a through <= 1.6.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:09.648Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25398", "state": "PUBLISHED", "dateUpdated": "2026-04-28T01:39:36.969Z", "dateReserved": "2026-02-02T12:53:12.987Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:48.027Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Webilia Inc. Vertex Addons for Elementor addons-for-elementor-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Vertex Addons for Elementor: from n/a through <= 1.6.4."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Webilia Inc. Vertex Addons for Elementor addons-for-elementor-builder permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Vertex Addons for Elementor: desde n/a hasta &lt;= 1.6.4."}], "id": "CVE-2026-25398", "lastModified": "2026-04-24T16:35:20.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:49.357", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/addons-for-elementor-builder/vulnerability/wordpress-vertex-addons-for-elementor-plugin-1-6-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "inferred", "scores": [{"score": 100.0, "source": "inferred"}]}, "product": "vertex_addons_for_elementor", "vendor": "webilia"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T19:38:23.153972+00:00", "value": {"mitigation_remediation": ["Update the Vertex Addons for Elementor plugin to a version newer than 1.6.4 if one is available.", "If no update is available, consider temporarily disabling or uninstalling the plugin to prevent exploitation.", "Review WordPress user role assignments to ensure only trusted administrators have permission to edit Elementor elements or plugin settings.", "Monitor site logs and content for unexpected changes that may indicate an attempt to exploit the vulnerability.", "Check the vendor\u2019s website or the WordPress plugin repository for patches or advisories."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "All installations of the Vertex Addons for Elementor plugin distributed by Webilia Inc. where the version is n/a through 1.6.4 are affected. Sites should verify the installed version and consider upgrading to a release newer than 1.6.4 once available.", "description_and_impact": "The vulnerability in the Vertex Addons for Elementor plugin is a missing authorization flaw that permits an attacker who can reach the plugin\u2019s administrative controls to perform privileged actions without the necessary role checks. This broken access control can enable tampering with plugin settings, adding or removing elements, or otherwise altering site content, thereby compromising the integrity of the website. The weakness is identified as CWE-862, Missing Authorization.", "risk_and_exploitability": "The CVSS score of 6.5 categorizes the flaw as moderate severity, and the EPSS score of less than 1% indicates a low current likelihood of exploitation. Based on the description, the most likely attack vector involves web requests to the plugin\u2019s administrative endpoints; an attacker would need to be authenticated as a user with sufficient privileges or exploit an exposed management page to gain the necessary access. The vulnerability is not listed in the CISA KEV catalog, suggesting no widely reported exploitation yet, but the potential for unauthorized site modification warrants prompt action."}}}}, "created": "2026-03-25T21:44:37.432361+00:00", "updated": "2026-03-27T09:31:48.852357+00:00", "vendors": ["webilia", "webilia$PRODUCT$vertex_addons_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}