Skip to main content

Buttoner for Elementor CVE-2025-68085

MEDIUM
Missing Authorization (CWE-862)
2025-12-16 audit@patchstack.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 24, 2026 - 20:33 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in merkulove Buttoner for Elementor buttoner-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Buttoner for Elementor: from n/a through <= 1.0.6.

AnalysisAI

Authenticated users with limited privileges can modify plugin settings and access functionality they should not have access to via missing authorization checks in Buttoner for Elementor through version 1.0.6. The vulnerability requires valid WordPress user credentials but no administrative role, allowing privilege escalation within the plugin's configuration interface. EPSS score of 0.05% indicates low exploitation probability despite network accessibility.

Technical ContextAI

Buttoner for Elementor is a WordPress plugin built for the Elementor page builder that provides button customization functionality. The vulnerability stems from improper access control (CWE-862) in the plugin's settings management endpoints. The plugin fails to properly validate user roles and capabilities before exposing administrative functions, allowing any authenticated WordPress user to interact with privileged operations. This is a common pattern in WordPress plugins where AJAX handlers or REST endpoints check for nonce/authentication but fail to verify the user's actual capability level (e.g., manage_options) required to perform administrative actions.

Affected ProductsAI

Buttoner for Elementor versions from an unspecified baseline through version 1.0.6 are affected. The vulnerability impacts all installations of the plugin at or below version 1.0.6 running on WordPress with the Elementor page builder. CPE identifier: cpe:2.3:a:merkulove:buttoner_for_elementor:*:*:*:*:*:wordpress:*:* (versions 1.0.6 and earlier).

RemediationAI

Update Buttoner for Elementor to a version newer than 1.0.6 when the vendor releases a patched version; check the Patchstack vulnerability database and the plugin's official WordPress.org repository for updated releases. If an immediate patch is not available, restrict WordPress user accounts to the minimum necessary roles (e.g., do not grant editor or contributor roles to untrusted users) and monitor plugin settings for unauthorized changes via WordPress audit logs. Additionally, consider disabling the plugin entirely if it is not actively in use, or implement Web Application Firewall rules to restrict access to the plugin's settings endpoints to administrator accounts only. Refer to https://patchstack.com/database/Wordpress/Plugin/buttoner-elementor/vulnerability/wordpress-buttoner-for-elementor-plugin-1-0-6-settings-change-vulnerability for vendor advisories and patch status updates.

Share

CVE-2025-68085 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy