{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25398", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:12.987Z", "datePublished": "2026-03-25T16:14:48.027Z", "dateUpdated": "2026-03-26T16:40:31.176Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "addons-for-elementor-builder", "product": "Vertex Addons for Elementor", "vendor": "Webilia Inc.", "versions": [{"lessThanOrEqual": "<= 1.6.4", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "theviper17 | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:27.343Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Webilia Inc. Vertex Addons for Elementor addons-for-elementor-builder allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Vertex Addons for Elementor: from n/a through <= 1.6.4.</p>"}], "value": "Missing Authorization vulnerability in Webilia Inc. Vertex Addons for Elementor addons-for-elementor-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Vertex Addons for Elementor: from n/a through <= 1.6.4."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:48.027Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/addons-for-elementor-builder/vulnerability/wordpress-vertex-addons-for-elementor-plugin-1-6-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Vertex Addons for Elementor plugin <= 1.6.4 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25398", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:32:07.373443Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:40:31.176Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Webilia Inc. Vertex Addons for Elementor addons-for-elementor-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Vertex Addons for Elementor: from n/a through <= 1.6.4."}], "id": "CVE-2026-25398", "lastModified": "2026-03-25T17:16:49.357", "metrics": {}, "published": "2026-03-25T17:16:49.357", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/addons-for-elementor-builder/vulnerability/wordpress-vertex-addons-for-elementor-plugin-1-6-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "inferred", "scores": [{"score": 100.0, "source": "inferred"}]}, "product": "vertex_addons_for_elementor", "vendor": "webilia"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T17:55:26.991494+00:00", "value": {"mitigation_remediation": ["Upgrade Vertex Addons for Elementor to a version newer than 1.6.4", "Verify that the new plugin version restores proper access controls and that no further unauthorized access is possible", "If an upgrade is not immediately possible, disable or remove the plugin until it can be patched, or restrict site access so only trusted users can use the plugin's features", "Keep WordPress core and all other plugins updated to reduce the overall attack surface", "Monitor site logs for suspicious requests that might indicate exploitation attempts"], "summary": {"action": "Patch Now", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The flaw affects the Vertex Addons for Elementor plugin for WordPress, developed by Webilia Inc., in all released versions up to and including 1.6.4. WordPress site owners using any version of the plugin within that range are vulnerable.", "description_and_impact": "This vulnerability is a missing authorization flaw in Webilia Inc.'s Vertex Addons for Elementor plugin, allowing attackers to bypass access controls and exploit incorrectly configured security levels. The flaw enables unauthorized users to gain access to plugin features or data that should be restricted, potentially leading to information exposure or privilege escalation within the WordPress site.", "risk_and_exploitability": "Because the attack vector involves interacting with the plugin's web interface, an attacker can exploit the vulnerability remotely through standard HTTP requests. While no CVSS score is supplied, the missing authorization condition suggests a moderate to high risk, and the vulnerability is not currently listed in the CISA KEV catalog. No public exploit statistics are available, but the lack of a proper access check means the flaw could be readily abused by attackers once discovered. The likely attack vector is via HTTP requests to the plugin's endpoints, inferred from the nature of the plugin and the missing authorization check."}}}}, "created": "2026-03-25T21:44:37.432361+00:00", "updated": "2026-03-26T11:38:32.835178+00:00", "vendors": ["webilia", "webilia$PRODUCT$vertex_addons_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}