Plattform
wordpress
Komponente
responsive-add-ons
Behoben in
3.4.3
3.4.3
CVE-2025-15488 represents a critical Remote Code Execution (RCE) vulnerability affecting the Responsive Plus – Elementor Templates & Starter Sites plugin for WordPress. Successful exploitation allows unauthenticated attackers to execute arbitrary code on the server, leading to complete system compromise. This vulnerability impacts versions of the plugin up to 3.4.3 (exclusive). A patch is available in version 3.4.3.
The ability to execute arbitrary code on a web server is a highly critical vulnerability. An attacker exploiting CVE-2025-15488 could achieve complete system compromise, including data exfiltration, malware installation, and denial of service. They could modify website content, steal sensitive user data (including login credentials), and potentially pivot to other systems on the network. Given the plugin's popularity and integration with Elementor, a widely used page builder, the blast radius of this vulnerability is significant, potentially impacting numerous WordPress sites. This vulnerability shares similarities with other RCE vulnerabilities in WordPress plugins where insufficient input validation allows for code injection.
CVE-2025-15488 was published on 2026-03-30. Its critical CVSS score indicates a high probability of exploitation. Public proof-of-concept (POC) code is likely to emerge quickly, increasing the risk of widespread exploitation. The vulnerability is not currently listed on KEV or EPSS, but given its severity and ease of exploitation, it is likely to be added. Monitor security advisories and threat intelligence feeds for updates on active campaigns targeting this vulnerability.
Exploit-Status
EPSS
0.10% (28% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2025-15488 is to immediately upgrade the Responsive Plus plugin to version 3.4.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily disabling the plugin to prevent exploitation. While a direct workaround is not available, implementing a Web Application Firewall (WAF) with rules to filter potentially malicious requests targeting the plugin's vulnerable endpoints can provide a temporary layer of protection. Monitor WordPress logs for suspicious activity related to the plugin. After upgrading, confirm the fix by attempting to trigger the vulnerable functionality and verifying that it is no longer exploitable.
Aktualisieren Sie auf Version 3.4.3 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
RCE is a type of vulnerability that allows an attacker to execute arbitrary code on a server. This can give the attacker complete control over the server.
If you are using a version of Responsive Plus prior to 3.4.3, your website is vulnerable. You can check the plugin version in the WordPress admin dashboard, under the 'Plugins' section.
Implement additional security measures, such as a web application firewall (WAF) and monitor server logs.
Vulnerability scanners are available that can detect this vulnerability. Consult with your web security provider for more information.
A CVSS score of 9.8 indicates a critical risk. It means the vulnerability is easy to exploit and can have a significant impact on website security.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.