Lifecycle Timeline
2DescriptionNVD
Missing Authorization vulnerability in blazethemes News Kit Elementor Addons news-kit-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects News Kit Elementor Addons: from n/a through <= 1.3.4.
AnalysisAI
News Kit Elementor Addons WordPress plugin version 1.3.4 and earlier contains a missing authorization vulnerability that allows attackers to exploit incorrectly configured access control, potentially bypassing security restrictions on protected functionality. The vulnerability stems from improper access control checks and affects a widely-distributed WordPress plugin used for news content management within Elementor page builder environments. While CVSS scoring is unavailable, the EPSS score of 0.07% indicates low real-world exploitation probability at time of analysis, and no public exploit code or active exploitation has been confirmed.
Technical ContextAI
The vulnerability is rooted in CWE-862 (Missing Authorization), a common weakness class that describes scenarios where an application fails to properly verify that a user has the necessary permissions before granting access to sensitive functionality or data. In the context of News Kit Elementor Addons, the plugin's implementation of access control within the Elementor page builder framework-which allows drag-and-drop content creation-appears to lack adequate privilege checks. The Elementor plugin ecosystem extends WordPress's native role-based access control, and custom plugins built atop it must properly inherit and enforce those controls. The lack of authorization checks likely permits users with lower privileges (e.g., Subscribers, Contributors, or unauthenticated users) to access or modify news content, settings, or API endpoints that should be restricted to Editors, Administrators, or specific capability levels.
Affected ProductsAI
News Kit Elementor Addons WordPress plugin versions 1.3.4 and earlier are affected. The plugin, deployed as a WordPress extension available through the official WordPress plugin repository, provides Elementor page builder integration for news content management. Affected installations include any WordPress site running News Kit Elementor Addons up to and including version 1.3.4. The plugin's broader ecosystem impact is limited to WordPress environments with Elementor page builder installed; standalone Elementor installations without this specific addon are unaffected. Refer to https://patchstack.com/database/Wordpress/Plugin/news-kit-elementor-addons/vulnerability/wordpress-news-kit-elementor-addons-plugin-1-3-4-broken-access-control-vulnerability?_s_id=cve for vendor advisory details.
RemediationAI
Upgrade News Kit Elementor Addons to a patched version released after 1.3.4; consult the plugin developer's official release notes or the WordPress plugin repository to confirm the minimum version that resolves this authorization bypass. Until an updated version is available, review and manually enforce access control rules by ensuring only trusted Administrators and Editors have permission to create, modify, or delete news content through Elementor, and consider restricting the plugin's overall availability via role-based activation or capability restrictions using WordPress security plugins. Monitor the official plugin page at https://patchstack.com/database/Wordpress/Plugin/news-kit-elementor-addons/ for patch availability announcements, and apply the update as soon as a confirmed fix is released.
Share
External POC / Exploit Code
Leaving vuln.today