Thim Elementor Kit < 1.3.4 – Authenticated (Contributor+) Insecure Direct Object Reference | CVE 2025-67594 | Plugin Vulnerabilities

Description

The Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.3 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.

Affects Plugins

thim-elementor-kit

Fixed in 1.3.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9ebeba9e-bda9-4cdd-bb59-fd7265f49c50

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Mdr

Verified

No

WPVDB ID

92f68090-70cb-4494-9b0a-cffea2fd8c69

Timeline

Publicly Published

2025-12-06 (about 5 months ago)

Added

2025-12-11 (about 5 months ago)

Last Updated

2025-12-11 (about 5 months ago)

Other

Published

Title

Published

2024-07-01

Title

MasterStudy LMS < 3.3.24 - Privilege Escalation to Instructor

Published

2024-04-22

Title

ProfileGrid – User Profiles, Memberships, Groups and Communities < 5.8.0 - Insecure Direct Object Reference

Published

2025-11-11

Title

Payment Plugins Braintree For WooCommerce < 3.2.79 - Missing Authorization to Payment Token Exposure and Transaction Fraud

Published

2025-02-06

Title

Builder Shortcode Extras – WordPress Shortcodes Collection to Save You Time <= 1.0.0 - Authenticated (Contributor+) Post Disclosure

Published

2021-06-03

Title

Jetpack < 9.8 - Carousel Module Non-Published Page/Post Attachment Comment Leak