Plattform
wordpress
Komponente
premium-addons-for-elementor
Behoben in
4.11.54
A Cross-Site Request Forgery (CSRF) vulnerability exists in Premium Addons for Elementor, a WordPress plugin, impacting versions from 0.0.0 through 4.11.53. This flaw allows unauthenticated attackers to create arbitrary Elementor templates if they can manipulate users with the 'editposts' capability into performing actions. The vulnerability is due to missing nonce validation in the 'insertinner_template' function. A patch is available in version 4.11.54.
Successful exploitation of this CSRF vulnerability allows an attacker to create malicious Elementor templates on a WordPress site without authentication. This could lead to defacement of the website, injection of malicious code into templates, or even unauthorized modification of site content. The attacker needs to craft a malicious link or form that, when clicked or submitted by a vulnerable user, triggers the template creation. The impact is amplified if the targeted user has elevated privileges, such as a site administrator, granting the attacker greater control over the website’s appearance and functionality. This is similar to other CSRF vulnerabilities where user actions are performed without their knowledge.
This vulnerability was publicly disclosed on December 23, 2025. There is no indication of active exploitation campaigns at this time. No Proof-of-Concept (PoC) code has been publicly released. The vulnerability has not been added to the CISA KEV catalog. Severity is assessed as Medium based on the CVSS score.
WordPress websites using Premium Addons for Elementor, particularly those with multiple users having 'edit_posts' capabilities, are at risk. Shared hosting environments where users have limited control over plugin updates are also more vulnerable. Sites with legacy configurations or outdated security practices are especially susceptible.
• wordpress / composer / npm:
grep -r 'insert_inner_template' /var/www/html/wp-content/plugins/premium-addons-for-elementor/• wordpress / composer / npm:
wp plugin list --status=all | grep 'premium-addons-for-elementor'• wordpress / composer / npm:
wp plugin update premium-addons-for-elementor --alldisclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade Premium Addons for Elementor to version 4.11.54 or later, which includes the necessary nonce validation to prevent CSRF attacks. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, restrict access to template creation functionalities to authorized users only. Regularly review user permissions and ensure the principle of least privilege is enforced. After upgrading, confirm the fix by attempting to create a template via a crafted CSRF request and verifying that the action is blocked.
Aktualisieren Sie auf Version 4.11.54 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-14163 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Premium Addons for Elementor WordPress plugin versions 0.0.0–4.11.53, allowing attackers to create templates without authentication.
You are affected if your WordPress site uses Premium Addons for Elementor version 0.0.0 through 4.11.53. Check your plugin version and upgrade if necessary.
Upgrade Premium Addons for Elementor to version 4.11.54 or later. Consider implementing a WAF as an interim measure.
There is currently no evidence of active exploitation, but it's crucial to apply the patch to prevent potential future attacks.
Refer to the official Premium Addons for Elementor website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.