CVE-2025-8488: 
WordPress vulnerability analysis and mitigation

The Ultimate Addons for Elementor (formerly Elementor Header & Footer Builder) WordPress plugin contains a vulnerability identified as CVE-2025-8488. The vulnerability was discovered by Peter Thaleikis and publicly disclosed on August 1, 2025. It affects all versions up to and including 2.4.6, allowing unauthorized modification of data due to a missing capability check in the savehfecompatibilityoptioncallback() function (NVD).

The vulnerability stems from a missing authorization check in the savehfecompatibilityoptioncallback() function, which allows authenticated users with Subscriber-level access and above to modify the compatibility option setting. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The weakness has been categorized as CWE-862: Missing Authorization (NVD, Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level privileges or higher to modify the plugin's compatibility option settings, potentially affecting the plugin's functionality and configuration (NVD).

Users should upgrade to version 2.4.7 or later of the Ultimate Addons for Elementor plugin, which includes proper capability checks for the affected function (WordPress Plugin).