CVE-2025-60167 Overview
CVE-2025-60167 is a sensitive information disclosure vulnerability in the Page Manager for Elementor WordPress plugin developed by honzat. The flaw affects all plugin versions up to and including 2.0.5. An authenticated attacker with low-level privileges can retrieve embedded sensitive system information that should remain protected from unauthorized access. The weakness maps to [CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere]. The vulnerability is exploitable over the network without user interaction, but requires valid low-privileged credentials on the target WordPress site.
Critical Impact
Authenticated low-privilege users can retrieve embedded sensitive data from sites running Page Manager for Elementor <= 2.0.5, potentially exposing configuration details useful for further attacks.
Affected Products
- honzat Page Manager for Elementor plugin for WordPress
- All versions from initial release through 2.0.5
- WordPress installations with the page-manager-for-elementor plugin enabled
Discovery Timeline
- 2025-09-26 - CVE-2025-60167 published to the National Vulnerability Database
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-60167
Vulnerability Analysis
The vulnerability resides in the Page Manager for Elementor plugin, which extends Elementor page building capabilities within WordPress. The plugin exposes sensitive system information to users who should not have access to it. Because the issue maps to [CWE-497], affected functionality returns embedded configuration data, internal identifiers, or system metadata in responses accessible to authenticated subscribers or contributors.
The attack requires network access to the WordPress site and a valid authenticated session with low privileges. No user interaction is needed, and exploitation does not impact integrity or availability. Confidentiality impact is limited to data the plugin embeds in its responses, not full system compromise. The EPSS score of 0.038% reflects a low probability of opportunistic exploitation at scale, but targeted use against sites known to run the plugin remains plausible.
Root Cause
The plugin fails to enforce proper authorization checks before returning data that contains sensitive system information. Responses generated by plugin endpoints embed configuration values or internal state that should be restricted to administrators. Authenticated users with minimal capabilities can reach these endpoints and read the embedded data.
Attack Vector
An attacker authenticates to the target WordPress site using any account with at least subscriber-level access. The attacker then issues a crafted HTTP request to a plugin endpoint that returns sensitive information embedded in its response. The response body discloses data that aids reconnaissance for follow-on attacks against the WordPress installation or its hosting environment. Technical exploitation details are documented in the Patchstack advisory.
Detection Methods for CVE-2025-60167
Indicators of Compromise
- Repeated requests to Page Manager for Elementor plugin endpoints from low-privileged user sessions
- Unusual HTTP GET or POST requests targeting /wp-admin/admin-ajax.php with plugin-specific actions
- Response bodies returning configuration or system metadata to non-administrator accounts
- Authenticated sessions from subscriber accounts performing reconnaissance-style activity
Detection Strategies
- Enumerate WordPress installations and confirm Page Manager for Elementor version is <= 2.0.5
- Review web server access logs for authenticated requests to plugin AJAX or REST routes by non-admin roles
- Correlate WordPress audit logs with HTTP traffic to identify privilege mismatches
- Compare baseline response sizes for plugin endpoints to detect anomalous data returns
Monitoring Recommendations
- Enable WordPress activity logging to capture authenticated user actions against plugin endpoints
- Forward web server and application logs to a centralized analytics platform for correlation
- Alert on newly created low-privilege accounts followed by plugin endpoint access
- Track plugin inventory across hosted WordPress sites to identify exposed instances
How to Mitigate CVE-2025-60167
Immediate Actions Required
- Inventory all WordPress sites and identify installations running Page Manager for Elementor <= 2.0.5
- Update the plugin to a patched version released after 2.0.5 once available from the vendor
- Audit user accounts and remove unused or unrecognized low-privilege accounts
- Restrict registration on sites that do not require public account creation
Patch Information
No fixed version is identified in the published NVD record at the time of disclosure. Monitor the Patchstack advisory and the official plugin page for an updated release that addresses the authorization gap in the affected endpoints.
Workarounds
- Deactivate and remove the Page Manager for Elementor plugin until a patched version is published
- Apply a virtual patch through a Web Application Firewall (WAF) to block requests to the vulnerable plugin endpoints from non-administrator sessions
- Limit user registration and review role assignments to ensure least privilege
- Disable public-facing registration forms on production sites that do not require them
# Disable the vulnerable plugin via WP-CLI until a patched release is available
wp plugin deactivate page-manager-for-elementor
wp plugin delete page-manager-for-elementor
# Verify the plugin is no longer active
wp plugin list --status=active | grep page-manager-for-elementor
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
