Skip to main content

Live Copy Paste CVE-2025-63079

| EUVDEUVD-2025-210353 MEDIUM
Missing Authorization (CWE-862)
2026-06-26 audit@patchstack.com GHSA-jjmj-p2pw-fqvw
4.3
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Contributor account required (PR:L) to reach network-exposed endpoint; only read-side data disclosed (C:L), no integrity or availability impact confirmed.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:30 vuln.today

DescriptionCVE.org

Contributor Broken Access Control in Live Copy Paste for Elementor <= 1.5.3 versions.

AnalysisAI

Broken access control in the Live Copy Paste for Elementor WordPress plugin (versions <= 1.5.3) allows contributor-level authenticated users to access restricted functionality beyond their intended authorization scope, resulting in unauthorized read access to content. The vulnerability stems from missing authorization checks (CWE-862) on plugin endpoints, and the 'Authentication Bypass' tag from Patchstack indicates contributors can bypass role-based restrictions enforced elsewhere. No public exploit code has been identified at time of analysis, and the plugin is not listed in the CISA KEV catalog.

Technical ContextAI

The Live Copy Paste for Elementor plugin extends the Elementor page builder for WordPress by enabling clipboard-style copy-paste of page elements. CWE-862 (Missing Authorization) indicates the plugin registers AJAX actions or REST API endpoints without verifying that the calling user holds the required capability (e.g., edit_posts, manage_options, or a custom capability) before executing privileged operations. In WordPress, the Contributor role (PR:L in CVSS terms) can create and edit their own posts but cannot publish or manage others' content. When a plugin endpoint omits a capability check such as current_user_can(), a contributor can invoke actions reserved for editors or administrators. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N is consistent with an unauthenticated-to-contributor access control gap exposing read-only data, with no integrity or availability consequences reported.

RemediationAI

Update the Live Copy Paste for Elementor plugin to a version higher than 1.5.3 as soon as a patched release is published; no specific fix version was identified in the data provided - verify the current patched version via the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/live-copy-paste/vulnerability/wordpress-live-copy-paste-for-elementor-plugin-1-5-3-broken-access-control-vulnerability or the WordPress plugin repository. As an immediate compensating control, administrators should disable contributor-level registration on sites where it is not operationally required, or audit existing contributor accounts for trustworthiness. Alternatively, deactivating the Live Copy Paste for Elementor plugin until a patch is applied eliminates the attack surface entirely, with the trade-off of losing the copy-paste editing feature for Elementor. A Web Application Firewall rule blocking contributor AJAX or REST calls to plugin-specific endpoints may reduce exposure but is difficult to implement precisely without knowing the exact vulnerable endpoint names.

Share

CVE-2025-63079 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy