CVE-2025-57939: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in Blocksera Image Hover Effects – Elementor Addon affecting versions through 1.4.4. The vulnerability was discovered and reported by security researcher ch4r0n on July 18, 2025, and was publicly disclosed on September 22, 2025. The vulnerability has been assigned CVE-2025-57939 (Patchstack).

The vulnerability is classified as a Missing Authorization (CWE-862) issue that allows exploiting incorrectly configured access control security levels. It received a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating that it is network-accessible, requires low attack complexity, and needs no privileges or user interaction to exploit (NVD).

The vulnerability allows an unprivileged user to execute certain higher privileged actions due to broken access control. While the specific impact varies case by case, the CVSS scoring indicates that the primary impact is on the integrity of the system, with no confidentiality impact and no availability impact (Patchstack).

No official fix is available for this vulnerability. The recommended mitigation is to remove and replace the software with an alternative solution, as the plugin is considered abandoned and unlikely to receive updates. Deactivating the software alone does not remove the security threat unless a virtual patch is deployed (Patchstack).