CVE-2025-63053

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 15:15 nvd
N/A

Tags

WordPress PHP Authentication Bypass

Description

Authorization Bypass Through User-Controlled Key vulnerability in Liton Arefin Master Addons for Elementor master-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Master Addons for Elementor: from n/a through <= 2.0.9.9.4.

Analysis

Authorization bypass in Master Addons for Elementor through version 2.0.9.9.4 allows attackers to exploit incorrectly configured access control via user-controlled keys, enabling unauthorized access to protected functionality without proper privilege validation. The vulnerability affects WordPress installations using the vulnerable plugin versions and carries low exploitation probability (EPSS 0.04%) with no confirmed active exploitation or public exploit code available.

Technical Context

Master Addons for Elementor is a WordPress plugin that extends Elementor page builder functionality with additional components and tools. The vulnerability stems from CWE-639 (Authorization Through User-Controlled Key), a root cause where the application uses attacker-controllable data as a direct key for authorization decisions without proper server-side validation. This class of flaw typically manifests as insecure direct object references (IDOR) where user-supplied identifiers are trusted to determine access permissions. The plugin's access control logic fails to adequately verify that the user requesting access actually possesses legitimate authorization for the requested resource, relying instead on client-side or easily manipulated identifiers.

Affected Products

Master Addons for Elementor versions from an unspecified baseline through 2.0.9.9.4 are affected. The plugin is distributed via WordPress.org plugin repository (https://wordpress.org/plugins/master-addons/). Users running any version up to and including 2.0.9.9.4 should be considered at risk if they have not applied subsequent security updates.

Remediation

Update Master Addons for Elementor to a version later than 2.0.9.9.4. WordPress administrators should navigate to the Plugins dashboard, locate Master Addons for Elementor, and install the latest available update from the WordPress.org plugin repository. If an explicit patched version number is not yet published, check the plugin's official advisory or Patchstack database entry (https://patchstack.com/database/Wordpress/Plugin/master-addons/vulnerability/wordpress-master-addons-for-elementor-plugin-2-0-9-9-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve) for confirmation of available patches. Pending patch application, restrict access to the Master Addons for Elementor administrative functionality to trusted users only and monitor plugin activity logs for suspicious authorization patterns.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-63053 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy