CVE-2025-64244

Restrict Elementor Widgets, Columns and Sections <= 1.12 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Restrict Elementor Widgets, Columns and Sections plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.12. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.12
PublishedDecember 13, 2025
Last updatedDecember 19, 2025
Research Plan
Unverified

This plan outlines the process for researching and exploiting CVE-2025-64244, a Missing Authorization vulnerability in the "Restrict Elementor Widgets, Columns and Sections" plugin. ### 1. Vulnerability Summary The "Restrict Elementor Widgets, Columns and Sections" plugin (versions <= 1.12) contain…

Show full research plan

This plan outlines the process for researching and exploiting CVE-2025-64244, a Missing Authorization vulnerability in the "Restrict Elementor Widgets, Columns and Sections" plugin.

1. Vulnerability Summary

The "Restrict Elementor Widgets, Columns and Sections" plugin (versions <= 1.12) contains a vulnerability where an AJAX handler or a initialization hook fails to perform a capability check (e.g., current_user_can('manage_options')). This allows any authenticated user, including those with low-privilege "Subscriber" roles, to trigger administrative functions. These functions typically include updating plugin settings, which can be used to disable restrictions or modify how Elementor elements are rendered for other users.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php
  • Vulnerable Action: Likely an AJAX action prefixed with rew_ or restrict_elementor_ (e.g., wp_ajax_rew_save_settings or wp_ajax_restrict_elementor_save_options).
  • Payload Parameter: Likely a settings array or individual option keys sent via POST.
  • Authentication: Subscriber-level access (PR:L) is required.
  • Preconditions: The plugin must be active. The attacker must have a valid login for a Subscriber account.

3. Code Flow Analysis

To identify the exact code path, the following trace is required:

  1. Entry Point: The plugin registers AJAX handlers in its main file or a dedicated admin class.
    • Search: grep -r "wp_ajax_" .
  2. Hook Registration: Look for lines like add_action( 'wp_ajax_RELEVANT_ACTION', 'FUNCTION_NAME' );. Note that there is likely no wp_ajax_nopriv_ equivalent, as this is an authenticated-only vulnerability.
  3. Vulnerable Function: Locate FUNCTION_NAME.
  4. The Sink: Inside the function, look for:
    • A call to update_option().
    • The absence of if ( ! current_user_can( 'manage_options' ) ).
    • The presence or absence of check_ajax_referer().

4. Nonce Acquisition Strategy

If the function uses check_ajax_referer(), we must find where the nonce is exposed.

  1. Identify Nonce Action: Look for wp_create_nonce( 'SOME_ACTION_STRING' ) in the PHP code.
  2. Locate JS Localization: Look for wp_localize_script() calls.
    • Grep: grep -r "wp_localize_script" .
  3. Find Trigger: Identify which admin page or frontend shortcode enqueues the script containing the nonce.
  4. Acquisition via Browser:
    • If the nonce is in the WordPress Dashboard (accessible to Subscribers):
      • Navigate to /wp-admin/index.php.
      • Use browser_eval to find the object: browser_eval("window.rew_object?.nonce").
    • If the nonce is only on the settings page (restricted to admins), check if the plugin accidentally enqueues it for all authenticated users on the profile.php page.

5. Exploitation Strategy

Once the action and nonce (if required) are identified:

  1. Preparation: Log in as a Subscriber.
  2. Request Construction: Use the http_request tool.
    • Method: POST
    • URL: http://localhost:8888/wp-admin/admin-ajax.php
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body:
      action=IDENTIFIED_ACTION&
      _wpnonce=EXTRACTED_NONCE&
      settings[some_critical_option]=new_value
      
  3. Payload: Attempt to modify a setting that disables the plugin's primary function, such as rew_enable_restrictions = 0.

6. Test Data Setup

  1. Install Plugin: Ensure restrict-elementor-widgets version 1.12 is installed.
  2. Create Content: Create an Elementor page with a "Restricted" widget (e.g., hidden from guests).
  3. Create User: wp user create attacker attacker@example.com --role=subscriber --user_pass=password.
  4. Identify Settings: Use wp option get to list current plugin settings (e.g., wp option get rew_settings).

7. Expected Results

  • HTTP Response: A 200 OK response, likely containing {"success":true} or 1.
  • Side Effect: The WordPress database option associated with the plugin settings will be updated.
  • Impact: A restriction previously applied to an Elementor widget will no longer be enforced because the attacker changed the global settings.

8. Verification Steps

  1. Verify via CLI: Check the option value immediately after the request:
    • wp option get rew_settings (or the relevant option name identified during research).
  2. Check Behavior: Visit the page with the restricted widget as a Guest and confirm the restriction is bypassed.

9. Alternative Approaches

  • Missing Nonce: If check_ajax_referer is entirely missing, the exploit becomes a trivial CSRF/Unauthorized request requiring no nonce.
  • admin_init Hook: If the vulnerability is not in an AJAX handler but in a function hooked to admin_init, the attacker can trigger it by simply visiting /wp-admin/admin-ajax.php (even with no action) as long as the code doesn't check capabilities.
  • Parameter Polling: If the function uses $_REQUEST instead of $_POST, try sending parameters via GET.

Specific Identifiers to Verify (Research Phase)

The agent should look for these specific strings in the plugin directory:

  • Action strings: rew_save_admin_settings, restrict_elementor_settings_save.
  • Localization keys: rew_params, restrict_elementor_vars.
  • Option names: rew_settings, restrict_elementor_options.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Restrict Elementor Widgets, Columns and Sections plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check in an AJAX handler. This allows authenticated users, such as Subscribers, to change plugin configurations, which can lead to bypassing access restrictions placed on Elementor widgets, columns, or sections.

Vulnerable Code

// Inferred from research plan - exact file path and line numbers unknown

add_action( 'wp_ajax_rew_save_settings', 'rew_save_settings_callback' );

function rew_save_settings_callback() {
    // The function lacks a check for current_user_can( 'manage_options' )
    // and potentially lacks check_ajax_referer()

    if ( isset( $_POST['settings'] ) ) {
        $settings = $_POST['settings'];
        update_option( 'rew_settings', $settings );
        wp_send_json_success();
    }
}

Security Fix

--- a/restrict-elementor-widgets/admin/admin.php
+++ b/restrict-elementor-widgets/admin/admin.php
@@ -10,6 +10,10 @@
 function rew_save_settings_callback() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( 'Unauthorized', 403 );
+    }
+    check_ajax_referer( 'rew_save_settings_nonce', 'security' );
+
     if ( isset( $_POST['settings'] ) ) {
         $settings = $_POST['settings'];
         update_option( 'rew_settings', $settings );

Exploit Outline

The exploit involves an authenticated attacker with low-level privileges (e.g., Subscriber) performing the following steps: 1. Log in to the WordPress site as a Subscriber. 2. Obtain a valid AJAX nonce if the plugin enqueues one for all authenticated users (often found via window.rew_object or similar localized script objects in the dashboard). 3. Send a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to the vulnerable AJAX handler (likely rew_save_settings). 4. Include a 'settings' payload in the POST body that modifies the plugin's behavior, such as disabling restrictions or granting permissions to roles that should not have access to specific Elementor elements. 5. Verify the configuration change by checking the 'rew_settings' option in the database or observing the bypass on the frontend.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.