CVE-2025-0968 Overview
CVE-2025-0968 affects the ElementsKit Elementor addons plugin for WordPress in all versions up to and including 3.4.0. The vulnerability stems from a missing capability check in the get_megamenu_content() function. Unauthenticated attackers can view any item created in Elementor, including posts, pages, and templates. Exposed content includes drafts, trashed items, and private items that should remain restricted to authorized users.
The flaw maps to [CWE-284] Improper Access Control and [CWE-862] Missing Authorization. The vulnerability was published to the National Vulnerability Database (NVD) on February 19, 2025.
Critical Impact
Unauthenticated attackers can disclose draft, trashed, and private Elementor content across affected WordPress sites running ElementsKit 3.4.0 or earlier.
Affected Products
- Wpmet ElementsKit Elementor Addons (Lite) - all versions through 3.4.0
- WordPress sites using the elementskit-lite plugin's megamenu module
- Elementor-built content stored as posts, pages, templates, drafts, trashed, and private items
Discovery Timeline
- 2025-02-19 - CVE-2025-0968 published to NVD
- 2025-02-25 - Last updated in NVD database
Technical Details for CVE-2025-0968
Vulnerability Analysis
The vulnerability is an Information Exposure flaw in the megamenu REST API handler of the ElementsKit Elementor addons plugin. The get_megamenu_content() function, defined in modules/megamenu/api.php, processes requests for menu content but does not verify the requester's WordPress capabilities. An attacker can call the endpoint without authentication and retrieve any Elementor-managed item by ID.
The function returns content irrespective of post status, exposing drafts, private posts, trashed items, and unpublished templates. Returned data can include unreleased marketing pages, internal documentation, customer data referenced in templates, and credentials embedded in private posts.
The issue is exploitable over the network with low attack complexity and requires no user interaction or privileges. The impact is limited to confidentiality. Integrity and availability of the target site are not directly affected.
Root Cause
The get_megamenu_content() function lacks a current_user_can() capability check and does not validate the post status before returning data. WordPress conventions require authorization checks before exposing non-public post types or items with draft, private, or trash status. The plugin treats the endpoint as public, bypassing standard access control enforced by the WordPress core.
Attack Vector
An unauthenticated remote attacker sends an HTTP request to the megamenu API endpoint with the ID of a target Elementor item. The endpoint responds with the rendered or raw content of that item, regardless of its publication state. Attackers can enumerate IDs sequentially to harvest non-public content at scale. No authentication, session, or user interaction is required.
Technical details are documented in the WordPress Plugin Code Reference and the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-0968
Indicators of Compromise
- Unauthenticated HTTP requests to ElementsKit megamenu REST routes referencing the get_megamenu_content handler
- Sequential or enumerative requests against megamenu endpoints with incrementing post or template IDs
- Anomalous spikes in response sizes from /wp-json/ routes registered by the elementskit-lite plugin
- Access log entries from unauthenticated clients retrieving content tied to draft, private, or trashed post IDs
Detection Strategies
- Inspect web server and WordPress access logs for unauthenticated requests targeting ElementsKit megamenu API paths
- Correlate REST API hits with WordPress post status to flag retrievals of non-public items
- Deploy WordPress security plugins or web application firewall (WAF) rules that match the vulnerable endpoint signature
- Compare installed plugin versions against 3.4.0 and earlier across the WordPress estate
Monitoring Recommendations
- Forward WordPress access logs and PHP error logs to a centralized analytics platform for retention and correlation
- Alert on bursts of REST API requests from a single source IP targeting plugin-registered routes
- Track plugin inventory and version drift across hosted WordPress sites on a recurring schedule
- Monitor outbound data volumes from WordPress hosts to identify bulk content exfiltration
How to Mitigate CVE-2025-0968
Immediate Actions Required
- Update the ElementsKit Elementor addons plugin to a version released after 3.4.0 on every affected WordPress site
- Audit recent access logs for unauthenticated requests to ElementsKit megamenu API endpoints
- Rotate any secrets, tokens, or credentials that may have been stored in private or draft Elementor items
- Review draft, private, and trashed Elementor content for sensitive data that may already have been disclosed
Patch Information
The vendor addressed the missing capability check in the plugin source tree. Patch details and the updated api.php are available in the WordPress Change Set 3237243. Administrators should install the fixed release through the WordPress plugin updater or via WP-CLI.
Workarounds
- Disable the ElementsKit Elementor addons plugin until the patched version is installed
- Block unauthenticated access to ElementsKit megamenu REST routes using a WAF or reverse proxy rule
- Restrict /wp-json/ exposure to authenticated users where feasible via server-side access controls
- Remove sensitive content from drafts, private posts, and trashed items pending remediation
# Update ElementsKit via WP-CLI on affected hosts
wp plugin update elementskit-lite
wp plugin list --name=elementskit-lite --fields=name,status,version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
