CVE-2025-63077

MEDIUM
2025-12-09 [email protected]
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 4.3

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Happy Addons for Elementor: from n/a through <= 3.20.3.

Analysis

Happy Addons for Elementor through version 3.20.3 allows authenticated users to access functionality they should not have permission to use due to missing authorization checks on API endpoints or admin functions. The vulnerability requires valid user authentication and results in information disclosure, with a CVSS score of 4.3 and an extremely low EPSS exploitation probability of 0.04%, suggesting minimal real-world attack incentive despite the access control flaw.

Technical Context

This is a missing authorization vulnerability (CWE-862: Improper Access Control) affecting the Happy Addons for Elementor WordPress plugin, which is a page builder extension for Elementor. The root cause is the failure to properly validate user permissions before allowing access to protected functions or API endpoints. WordPress plugins typically authenticate users via nonce validation and capability checks (e.g., 'manage_options', 'edit_posts'), but this plugin apparently skips or misconfigures these checks on one or more sensitive operations. An authenticated user with basic credentials can therefore perform actions or view data reserved for higher-privilege roles (administrators or editors with specific capabilities). The vulnerability is classified as improper access control rather than authentication bypass, meaning the authentication layer itself is intact but authorization controls are deficient.

Affected Products

Happy Addons for Elementor versions from an unspecified baseline through 3.20.3 are affected. The plugin is distributed via the WordPress plugin repository and is identified by the slug 'happy-elementor-addons'. Administrators running version 3.20.3 or earlier should apply updates immediately upon availability. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/happy-elementor-addons/vulnerability/wordpress-happy-addons-for-elementor-plugin-3-20-2-broken-access-control-vulnerability for complete affected version details and vendor communication.

Remediation

Update Happy Addons for Elementor to the patched version released by the vendor in response to this CVE. Exact patched version number should be confirmed via the official Patchstack advisory or the plugin's release notes. In the interim, site administrators should audit user roles and capabilities in WordPress to ensure that only trusted users have the contributor, author, or editor roles that could exploit this vulnerability. Consider restricting plugin administration to a minimal set of administrators. Verify that the site is running the latest stable version of WordPress and Elementor itself, as those core systems provide additional access control layers.

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Share

CVE-2025-63077 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy