Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Contributor account required (PR:L) to reach network-exposed endpoint; only read-side data disclosed (C:L), no integrity or availability impact confirmed.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Contributor Broken Access Control in Live Copy Paste for Elementor <= 1.5.3 versions.
AnalysisAI
Broken access control in the Live Copy Paste for Elementor WordPress plugin (versions <= 1.5.3) allows contributor-level authenticated users to access restricted functionality beyond their intended authorization scope, resulting in unauthorized read access to content. The vulnerability stems from missing authorization checks (CWE-862) on plugin endpoints, and the 'Authentication Bypass' tag from Patchstack indicates contributors can bypass role-based restrictions enforced elsewhere. No public exploit code has been identified at time of analysis, and the plugin is not listed in the CISA KEV catalog.
Technical ContextAI
The Live Copy Paste for Elementor plugin extends the Elementor page builder for WordPress by enabling clipboard-style copy-paste of page elements. CWE-862 (Missing Authorization) indicates the plugin registers AJAX actions or REST API endpoints without verifying that the calling user holds the required capability (e.g., edit_posts, manage_options, or a custom capability) before executing privileged operations. In WordPress, the Contributor role (PR:L in CVSS terms) can create and edit their own posts but cannot publish or manage others' content. When a plugin endpoint omits a capability check such as current_user_can(), a contributor can invoke actions reserved for editors or administrators. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N is consistent with an unauthenticated-to-contributor access control gap exposing read-only data, with no integrity or availability consequences reported.
RemediationAI
Update the Live Copy Paste for Elementor plugin to a version higher than 1.5.3 as soon as a patched release is published; no specific fix version was identified in the data provided - verify the current patched version via the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/live-copy-paste/vulnerability/wordpress-live-copy-paste-for-elementor-plugin-1-5-3-broken-access-control-vulnerability or the WordPress plugin repository. As an immediate compensating control, administrators should disable contributor-level registration on sites where it is not operationally required, or audit existing contributor accounts for trustworthiness. Alternatively, deactivating the Live Copy Paste for Elementor plugin until a patch is applied eliminates the attack surface entirely, with the trade-off of losing the copy-paste editing feature for Elementor. A Web Application Firewall rule blocking contributor AJAX or REST calls to plugin-specific endpoints may reduce exposure but is difficult to implement precisely without knowing the exact vulnerable endpoint names.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210353
GHSA-jjmj-p2pw-fqvw