WordPress Plugin Vulnerabilities

News Kit Elementor Addons < 1.3.5 - Missing Authorization

Description

The News Kit Elementor Addons plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
news-kit-elementor-addons
Fixed in 1.3.5

References

CVE
CVE-2025-54037
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/37276e9e-2b77-4259-b52f-f49da04f83e2

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
zaim
Verified
No
WPVDB ID
79abe10a-667a-46f5-aaa0-c982020881e9

Timeline

Publicly Published
2025-07-16 (about 10 months ago)
Added
2025-07-21 (about 10 months ago)
Last Updated
2025-07-21 (about 10 months ago)

Other

Published
Title
Published
2024-02-12
Title
SKT Page Builder < 4.2 - Missing Authorization to Authenticated(Subscriber+) Content Injection
Published
2024-08-22
Title
WooCommerce Google Feed Manager < 2.9.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Feed Actions
Published
2022-08-25
Title
About Rentals <= 1.5 - Unauthenticated Actions
Published
2025-05-01
Title
Smart Framework <= Multiple Plugins - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2025-04-17
Title
Simple Sitemap – Create a Responsive HTML Sitemap < 3.6.1 - Missing Authorization