CVE CyberSecurity Database News

CVE-2025-0968 - Sensitive Data Exposure in ElementsKit Elementor Addons Plugin for WordPress (All Versions ≤ 3.4.)

Poster -

---

If you’re building websites with WordPress and use the popular ElementsKit Elementor Addons plugin, listen up! A new critical vulnerability — CVE-2025-0968 — affects all versions up to, and including, 3.4. of the plugin. This flaw can leak private content to any unauthenticated attacker and is easy to exploit.

What Is CVE-2025-0968?

CVE-2025-0968 is a vulnerability found in ElementsKit for Elementor (by Wpmet) — one of the most downloaded addons in the world (over 1 million installs). This plugin adds widgets and tools for Elementor, the site builder.

The problem:
A critical function called get_megamenu_content() does _not_ check what kind of user is asking for sensitive information. That means _anyone_, logged in or not, can fetch data meant to be private — like:

private templates,

All these can be read just by making a simple HTTP request.

Why Is It Dangerous?

Imagine writing up a new product, but keeping it private or in draft mode on your site. Normally, only logged-in users (maybe just admins) could see it.
But: With CVE-2025-0968, anyone on the web can steal that private info with a single request.

Find and exploit unpublished pages or features

- Gather competitor’s content, or grab staff/personal posts

Technical Breakdown

The vulnerable function is registered with the WordPress AJAX handler, but it does NOT verify user permissions. Let's break it down.

Here’s a simplified version based on what happens in ElementsKit

add_action( 'wp_ajax_get_megamenu_content', 'get_megamenu_content' );
add_action( 'wp_ajax_nopriv_get_megamenu_content', 'get_megamenu_content' );

function get_megamenu_content() {
    $post_id = intval($_POST['post_id']);
    $content = get_post($post_id); // This can return drafts/private too!
    if( $content ) {
        echo wp_json_encode( $content );
    } else {
        echo 'Error: No content found.';
    }
    wp_die();
}

What’s missing?
No check for what the current user can do! Any anonymous visitor can POST to this AJAX endpoint and get full post details — even if the content is private/draft/trashed.

Let’s exploit on the command line with cURL

curl -X POST https://victim.com/wp-admin/admin-ajax.php \
     -d action=get_megamenu_content \
     -d post_id=47

What Do You Get?

The response will be the _full_ raw WordPress post object for the specified post ID — even if it’s a draft, trash, or private post.
Hackers can repeat this for every post ID, harvesting lots of sensitive or unfinished content.

References

- Wordfence Advisory for CVE-2025-0968
- ElementsKit on WordPress.org
- Plugin Code on GitHub (unofficial mirror)

Block Access to admin-ajax.php for Unauthenticated Users:

As a temporary fix, limit access to this script except for logged-in users, using your firewall or server rules.

Conclusion

CVE-2025-0968 is dangerously simple but powerful: a single missing line of code turns any user into an “admin” (for reading content)! If you use ElementsKit with Elementor, update now — don’t leave your work and ideas open to the whole world.

For more details and active exploits, keep an eye on the official plugin changelog and the Wordfence advisory.

Timeline

Published on: 02/19/2025 12:15:31 UTC
Last modified on: 02/25/2025 20:21:17 UTC