CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-0968: ElementsKit Elementor addons <= 3.4.0 - Unauthenticated Information Exposure via get_megamenu_content Function

5.3 CVSS

Description

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.0 due to a missing capability checks on the get_megamenu_content() function. This makes it possible for unauthenticated attackers to view any item created in Elementor, such as posts, pages and templates including drafts, trashed and private items.

Classification

CVE ID: CVE-2025-0968

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Products

Vendor: xpeedstudio

Product: ElementsKit Elementor addons

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 11.92% (scored less or equal to compared to others)

EPSS Date: 2025-03-20 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/432ac3b1-8f1d-442f-8e8d-62a1f26ba259?source=cve
https://plugins.trac.wordpress.org/browser/elementskit-lite/trunk/modules/megamenu/api.php#L47
https://wordpress.org/plugins/elementskit-lite/#developers
https://plugins.trac.wordpress.org/changeset/3237243/

Timeline

2025-02-20 00:31:06 UTC
CVE

ElementsKit Elementor addons <= 3.4.0 - Unauthenticated Information Exposure via get_megamenu_content Function