CVE-2025-63053

Master Addons for Elementor <= 2.0.9.9.4 - Unauthenticated Insecure Direct Object Reference

mediumAuthorization Bypass Through User-Controlled Key
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.1.0
Patched in
28d
Time to patch

Description

The Master Addons For Elementor – White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.9.9.4 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0.9.9.4
PublishedDecember 31, 2025
Last updatedJanuary 27, 2026
Affected pluginmaster-addons

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-63053 ## 1. Vulnerability Summary The **Master Addons for Elementor** plugin (up to version 2.0.9.9.4) contains an **Insecure Direct Object Reference (IDOR)** vulnerability in its settings-handling logic. The plugin registers AJAX handlers for updating plugin …

Show full research plan

Exploitation Research Plan: CVE-2025-63053

1. Vulnerability Summary

The Master Addons for Elementor plugin (up to version 2.0.9.9.4) contains an Insecure Direct Object Reference (IDOR) vulnerability in its settings-handling logic. The plugin registers AJAX handlers for updating plugin settings (including White Labeling features) without properly checking for administrative capabilities. By providing a user-controlled key in the request, an unauthenticated attacker can modify plugin configurations.

The core issue resides in the registration of wp_ajax_nopriv_ hooks for functions intended for administrative use, combined with a lack of current_user_can('manage_options') validation within the handler itself.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: jltma_save_white_label_settings (inferred) or jltma_save_settings (inferred).
  • Vulnerable Parameter: jltma_white_label_settings (array) or fields (array).
  • Authentication: Unauthenticated (via wp_ajax_nopriv_).
  • Preconditions: The "White Label" feature or general settings must be reachable via AJAX, and a valid nonce must be obtained from the frontend.

3. Code Flow

  1. Entry Point: The attacker sends a POST request to admin-ajax.php with the action jltma_save_white_label_settings.
  2. Hook Registration: The plugin (likely in inc/admin/dashboard/white-label.php or a similar class) registers:
    add_action( 'wp_ajax_nopriv_jltma_save_white_label_settings', [ $this, 'jltma_save_white_label_settings' ] );
    
  3. Nonce Verification: The function calls check_ajax_referer( 'jltma_white_label_nonce', 'security' ) or uses a generic nonce like jltma_nonce.
  4. Missing Auth Check: The function proceeds to update the database without calling current_user_can().
  5. Sink: The function calls update_option( 'jltma_white_label_settings', $_POST['jltma_white_label_settings'] ).
  6. Result: The attacker overwrites the plugin's branding settings, effectively "referencing" the settings object via the user-controlled POST keys.

4. Nonce Acquisition Strategy

Master Addons localizes settings and nonces into a global JavaScript object, usually named jltma_data. This object is often enqueued on the frontend if any Master Addons widgets are present on a page.

  1. Identify Script Loading: Find a page that uses a Master Addons widget (e.g., a simple button or heading).
  2. Setup Test Page:
    wp post create --post_type=page --post_title="MA Test" --post_status=publish --post_content='[ma-el-button]'
    
  3. Navigate and Extract:
    • Use browser_navigate to visit the newly created page.
    • Use browser_eval to extract the nonce from the jltma_data object.
    • JS Path: window.jltma_data?.nonce or window.master_addons_js_data?.nonce.

5. Exploitation Strategy

Step 1: Obtain Nonce

Access the frontend of the site where Master Addons is active and extract the nonce from the localized script data.

Step 2: Send Exploit Payload

Craft a POST request to admin-ajax.php to modify the White Label settings. We will attempt to change the "Plugin Name" and "Plugin Description" to demonstrate unauthorized modification.

  • URL: http://<target>/wp-admin/admin-ajax.php
Research Findings
Static analysis — not yet PoC-verified

Summary

The Master Addons for Elementor plugin is vulnerable to an unauthenticated Insecure Direct Object Reference (IDOR) that allows attackers to modify plugin settings, including White Label configurations. This occurs because the plugin exposes administrative settings-saving AJAX actions to unauthenticated users via 'wp_ajax_nopriv_' hooks without performing proper capability checks.

Vulnerable Code

// inc/admin/dashboard/white-label.php (approximate)
add_action( 'wp_ajax_nopriv_jltma_save_white_label_settings', [ $this, 'jltma_save_white_label_settings' ] );
add_action( 'wp_ajax_jltma_save_white_label_settings', [ $this, 'jltma_save_white_label_settings' ] );

---

// inc/admin/dashboard/white-label.php (approximate)
public function jltma_save_white_label_settings() {
    check_ajax_referer( 'jltma_white_label_nonce', 'security' );

    if ( isset( $_POST['jltma_white_label_settings'] ) ) {
        // Vulnerability: Missing current_user_can('manage_options') check before updating global settings
        update_option( 'jltma_white_label_settings', $_POST['jltma_white_label_settings'] );
    }
    wp_send_json_success();
}

Security Fix

--- a/inc/admin/dashboard/white-label.php
+++ b/inc/admin/dashboard/white-label.php
@@ -1,5 +1,4 @@
-add_action( 'wp_ajax_nopriv_jltma_save_white_label_settings', [ $this, 'jltma_save_white_label_settings' ] );
 add_action( 'wp_ajax_jltma_save_white_label_settings', [ $this, 'jltma_save_white_label_settings' ] );
 
 public function jltma_save_white_label_settings() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( [ 'message' => 'Unauthorized' ] );
+    }
     check_ajax_referer( 'jltma_white_label_nonce', 'security' );

Exploit Outline

1. Visit the frontend of a site running Master Addons for Elementor to find a page where the plugin's scripts are enqueued. 2. Extract the AJAX nonce from the localized JavaScript object (typically 'jltma_data' or 'master_addons_js_data') found in the HTML source. 3. Construct a POST request to '/wp-admin/admin-ajax.php' with the 'action' set to 'jltma_save_white_label_settings'. 4. Include the extracted nonce in the 'security' parameter. 5. Include a payload in the 'jltma_white_label_settings' parameter (e.g., an array containing new plugin names, branding strings, or display settings). 6. Send the request without authentication. The plugin will verify the nonce but fail to check the user's permissions, leading to a global configuration update.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.