Platform
wordpress
Component
responsive-add-ons
Fixed in
3.4.3
3.4.3
CVE-2025-15488 represents a critical Remote Code Execution (RCE) vulnerability affecting the Responsive Plus – Elementor Templates & Starter Sites plugin for WordPress. Successful exploitation allows unauthenticated attackers to execute arbitrary code on the server, leading to complete system compromise. This vulnerability impacts versions of the plugin up to 3.4.3 (exclusive). A patch is available in version 3.4.3.
A Remote Code Execution (RCE) vulnerability has been discovered in the Responsive Plus – Elementor Templates & Starter Sites plugin for WordPress. Identified as CVE-2025-15488, this vulnerability affects all versions of the plugin prior to 3.4.3. An unauthenticated attacker could exploit this flaw to execute malicious code on the web server hosting the WordPress site. This could result in complete site takeover, data exfiltration, content modification, or denial of service. The vulnerability’s severity is rated as 9.8 on the CVSS scale, indicating a critical risk. The lack of required authentication for exploitation makes it particularly dangerous, as anyone with access to the site’s network could potentially exploit it.
The vulnerability stems from a flaw in how the plugin handles certain user inputs. An attacker could send a specially crafted request to the server containing malicious code. If the plugin does not properly validate or sanitize these inputs, the malicious code could be executed in the context of the web server. The lack of authentication means the attacker does not need to log in to the website to exploit the vulnerability. This makes it accessible to a wide range of attackers, including those with limited technical skills. Attackers are expected to begin actively scanning vulnerable websites for this flaw.
Exploit Status
EPSS
0.10% (28% percentile)
CVSS Vector
The most effective solution to mitigate this vulnerability is to immediately update the Responsive Plus plugin to version 3.4.3 or higher. This update includes a patch for the RCE vulnerability. If updating the plugin immediately is not possible, it is recommended to take additional security measures, such as restricting access to the website, implementing a web application firewall (WAF), and monitoring server logs for suspicious activity. Regular website backups are crucial to enable restoration in case of a successful attack. Furthermore, ensure all other plugins and the WordPress core are updated to the latest versions to reduce the overall attack surface.
Update to version 3.4.3, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
RCE is a type of vulnerability that allows an attacker to execute arbitrary code on a server. This can give the attacker complete control over the server.
If you are using a version of Responsive Plus prior to 3.4.3, your website is vulnerable. You can check the plugin version in the WordPress admin dashboard, under the 'Plugins' section.
Implement additional security measures, such as a web application firewall (WAF) and monitor server logs.
Vulnerability scanners are available that can detect this vulnerability. Consult with your web security provider for more information.
A CVSS score of 9.8 indicates a critical risk. It means the vulnerability is easy to exploit and can have a significant impact on website security.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.