CVE-2025-0661

Name of the Vulnerable Software and Affected Versions DethemeKit For Elementor plugin for WordPress versions up to, and including, 2.36

Description The issue allows authenticated attackers with Contributor-level access and above to extract data from password protected, private, draft, or scheduled posts by duplicating them. This is due to insufficient restrictions on which posts can be duplicated via the duplicate post() function.

Recommendations For versions up to, and including, 2.36, consider disabling the duplicate post() function until a patch is available to prevent exploitation. Restrict access to sensitive posts and ensure that only authorized users have Contributor-level access and above to minimize the risk of data exposure.