Buttoner for Elementor CVE-2025-68085
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in merkulove Buttoner for Elementor buttoner-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Buttoner for Elementor: from n/a through <= 1.0.6.
AnalysisAI
Authenticated users with limited privileges can modify plugin settings and access functionality they should not have access to via missing authorization checks in Buttoner for Elementor through version 1.0.6. The vulnerability requires valid WordPress user credentials but no administrative role, allowing privilege escalation within the plugin's configuration interface. EPSS score of 0.05% indicates low exploitation probability despite network accessibility.
Technical ContextAI
Buttoner for Elementor is a WordPress plugin built for the Elementor page builder that provides button customization functionality. The vulnerability stems from improper access control (CWE-862) in the plugin's settings management endpoints. The plugin fails to properly validate user roles and capabilities before exposing administrative functions, allowing any authenticated WordPress user to interact with privileged operations. This is a common pattern in WordPress plugins where AJAX handlers or REST endpoints check for nonce/authentication but fail to verify the user's actual capability level (e.g., manage_options) required to perform administrative actions.
Affected ProductsAI
Buttoner for Elementor versions from an unspecified baseline through version 1.0.6 are affected. The vulnerability impacts all installations of the plugin at or below version 1.0.6 running on WordPress with the Elementor page builder. CPE identifier: cpe:2.3:a:merkulove:buttoner_for_elementor:*:*:*:*:*:wordpress:*:* (versions 1.0.6 and earlier).
RemediationAI
Update Buttoner for Elementor to a version newer than 1.0.6 when the vendor releases a patched version; check the Patchstack vulnerability database and the plugin's official WordPress.org repository for updated releases. If an immediate patch is not available, restrict WordPress user accounts to the minimum necessary roles (e.g., do not grant editor or contributor roles to untrusted users) and monitor plugin settings for unauthorized changes via WordPress audit logs. Additionally, consider disabling the plugin entirely if it is not actively in use, or implement Web Application Firewall rules to restrict access to the plugin's settings endpoints to administrator accounts only. Refer to https://patchstack.com/database/Wordpress/Plugin/buttoner-elementor/vulnerability/wordpress-buttoner-for-elementor-plugin-1-0-6-settings-change-vulnerability for vendor advisories and patch status updates.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today