CVE-2025-60167: 
WordPress vulnerability analysis and mitigation

A sensitive data exposure vulnerability was identified in the WordPress Page Manager for Elementor plugin, tracked as CVE-2025-60167. The vulnerability affects versions up to and including 2.0.5 of the plugin, allowing unauthorized access to sensitive system information. The issue was discovered by security researcher SashaRyba and was publicly disclosed on September 26, 2025 (Patchstack).

The vulnerability is classified as an Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497). It has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating that the vulnerability requires low attack complexity and can be exploited remotely with low privileges (Patchstack).

The vulnerability allows malicious actors to view sensitive information that is normally not available to regular users. This exposed data could potentially be used to exploit other weaknesses in the system. The impact is particularly concerning as the software is considered abandoned, having not received updates for over a year (Patchstack).

As no official fix is available and the software is considered abandoned, the recommended mitigation strategy is to remove and replace the Page Manager for Elementor plugin with an alternative solution. It's important to note that merely deactivating the software does not remove the security threat unless a virtual patch (vPatch) is deployed (Patchstack).