CVE-2025-0968 – The ElementsKit Elementor addons plugin for Wor... (How to Fix)

📋 TL;DR

The ElementsKit Elementor addons plugin for WordPress has an information disclosure vulnerability that allows unauthenticated attackers to view any content created in Elementor, including private posts, drafts, and trashed items. This affects all WordPress sites using ElementsKit Lite plugin versions up to 3.4.0.

💻 Affected Systems

Products:

ElementsKit Lite (WordPress plugin)

Versions: All versions up to and including 3.4.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with Elementor page builder and ElementsKit Lite plugin installed.

📦 What is this software?

Elementskit Elementor Addons by Wpmet

View all CVEs affecting Elementskit Elementor Addons →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive unpublished content, proprietary information, draft posts containing credentials, or private business documents before official publication.

🟠

Likely Case

Unauthenticated users can view draft posts, private pages, and unpublished templates, potentially exposing sensitive information or proprietary content.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to information exposure without modification or deletion capabilities.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request to vulnerable endpoint without authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.1

Vendor Advisory: https://wordpress.org/plugins/elementskit-lite/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find ElementsKit Lite
4. Click 'Update Now' if available
5. Or download version 3.4.1+ from WordPress repository
6. Deactivate and delete old version
7. Upload and activate new version

🔧 Temporary Workarounds

Disable vulnerable endpoint via .htaccess

linux

Block access to the vulnerable API endpoint

RewriteEngine On
RewriteRule ^wp-content/plugins/elementskit-lite/modules/megamenu/api\.php$ - [F,L]

Temporarily disable plugin

all

Deactivate ElementsKit Lite plugin until patched

wp plugin deactivate elementskit-lite

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block requests to /wp-content/plugins/elementskit-lite/modules/megamenu/api.php
Restrict access to WordPress admin area using IP whitelisting or authentication gateways

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → ElementsKit Lite version. If version ≤3.4.0, vulnerable.

Check Version:

wp plugin get elementskit-lite --field=version

Verify Fix Applied:

After update, confirm version is 3.4.1+ in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP GET requests to /wp-content/plugins/elementskit-lite/modules/megamenu/api.php with post_id parameter

Network Indicators:

Unusual traffic to plugin API endpoint from unauthenticated sources

SIEM Query:

source="web_logs" AND uri="/wp-content/plugins/elementskit-lite/modules/megamenu/api.php" AND method="GET"

📊 Metadata

CVE ID: CVE-2025-0968

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-284

EPSS Score: 0.35% exploit probability (56.6th percentile)

Published: February 19, 2025

Last Updated: February 25, 2025

🔗 References

https://plugins.trac.wordpress.org/browser/elementskit-lite/trunk/modules/megamenu/api.php#L47 Product
https://plugins.trac.wordpress.org/changeset/3237243/ Patch
https://wordpress.org/plugins/elementskit-lite/#developers Product,Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/432ac3b1-8f1d-442f-8e8d-62a1f26ba259?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0968, you might also want to check these: