Master Addons for Elementor < 2.1.0 – Unauthenticated Insecure Direct Object Reference | CVE 2025-63053 | Plugin Vulnerabilities

Description

The Master Addons For Elementor – White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.9.9.4 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Fixed in 2.1.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2ac09e78-fea1-478f-a3bc-40742bdc0f6a

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Mdr

Verified

No

WPVDB ID

19ebac83-717e-4364-a68a-f6064a64df98

Timeline

Publicly Published

2025-12-31 (about 3 months ago)

Added

2026-01-05 (about 2 months ago)

Last Updated

2026-01-27 (about 2 months ago)

Other

Published

Title

Published

2024-11-12

Title

BuddyPress Builder for Elementor – BuddyBuilder < 1.8.0 - Contributor+ Post Disclosure

Published

2023-01-17

Title

WP FullCalendar < 1.5 - Unauthenticated Arbitrary Post Access

Published

2024-11-08

Title

Attesa Extra < 1.4.3 - Authenticated (Contributor+) Post Disclosure

Published

2025-10-14

Title

Quick Featured Images < 13.7.3 - Insecure Direct Object Reference to Image Manipulation

Published

2026-03-23

Title

LatePoint – Calendar Booking Plugin for Appointments and Events < 5.2.7 - Authenticated (Subscriber+) Insecure Direct Object Reference