CVE-2025-8488: 
WordPress vulnerability analysis and mitigation

The Ultimate Addons for Elementor (formerly Elementor Header & Footer Builder) WordPress plugin contains a vulnerability identified as CVE-2025-8488. The vulnerability was discovered and disclosed on August 2, 2025, affecting all versions up to and including 2.4.6. This security issue is present in the plugin's compatibility option functionality (NVD).

The vulnerability stems from a missing capability check in the savehfecompatibilityoptioncallback() function. This security flaw has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-862: Missing Authorization (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to modify the compatibility option settings of the plugin. This unauthorized modification of data could potentially affect the plugin's functionality and site configuration (NVD).

The vulnerability has been patched in version 2.4.7 of the Ultimate Addons for Elementor plugin. Users are advised to update to this version or later to protect their installations (WordPress Plugin).