WordPress Plugin Vulnerabilities

Premium Addons for Elementor < 4.11.64 - Subscriber+ Settings Update

Description

The plugin is vulnerable to unauthorized access due to a missing capability check on a function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings.

Affects Plugins

Plugin icon
premium-addons-for-elementor
Fixed in 4.11.64

References

CVE
CVE-2025-69300
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/59edf88d-a16d-48ec-981a-0002730f4091

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Phat RiO
Verified
No
WPVDB ID
8bafa519-7649-42e3-b256-c38333254b77

Timeline

Publicly Published
2026-01-17 (about 3 months ago)
Added
2026-01-28 (about 3 months ago)
Last Updated
2026-01-28 (about 3 months ago)

Other

Published
Title
Published
2024-09-10
Title
Event Calendar <= 1.0.4 - Unauthenticated Arbitrary Calendar Deletion
Published
2026-01-05
Title
Icegram < 3.1.36 - Missing Authorization
Published
2023-12-21
Title
EazyDocs < 2.3.6 - Subscriber+ Arbitrary Posts Deletion and Document Management
Published
2025-01-16
Title
Email Capture & Lead Generation <= 1.0.2 - Missing Authorization
Published
2024-12-17
Title
WPLMS < 1.9.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update