Plateforme
wordpress
Composant
bdthemes-element-pack-lite
Corrigé dans
8.3.14
CVE-2025-31413 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in bdthemes Element Pack Elementor Addons. This flaw allows an attacker to trick a legitimate user into unknowingly performing actions they did not intend, potentially leading to unauthorized modifications or deletions within the Elementor-based website. The vulnerability impacts versions from 0.0.0 through 8.3.13, and a patch is available in version 8.3.14.
A successful CSRF attack can have significant consequences for websites using Element Pack Elementor Addons. An attacker could leverage this vulnerability to modify website content, change user roles, delete critical data, or even gain administrative access. The impact is amplified if the website handles sensitive user data or performs critical business functions. The attacker needs to craft a malicious request and trick the user into clicking a link or visiting a compromised page. This vulnerability is similar in nature to other CSRF vulnerabilities, but the specific impact depends on the permissions and functionalities exposed by Element Pack.
CVE-2025-31413 was publicly disclosed on 2026-01-22. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code may become available, increasing the risk of exploitation.
Websites using Element Pack Elementor Addons, particularly those with user accounts and sensitive data, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise on one site could potentially affect others. Sites using older, unpatched versions of Element Pack are most vulnerable.
• wordpress / composer / npm:
grep -r 'bdthemes-element-pack-lite' /var/www/html/
wp plugin list | grep 'bdthemes-element-pack-lite'• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=element_pack_some_sensitive_actiondisclosure
Statut de l'Exploit
EPSS
0.02% (percentile 5%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-31413 is to immediately upgrade Element Pack Elementor Addons to version 8.3.14 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These might include adding CSRF tokens to all sensitive forms and actions within Element Pack, or using a Web Application Firewall (WAF) to filter out malicious requests. Review and restrict user permissions to minimize the potential damage from a successful attack. After upgrade, confirm the fix by attempting a CSRF attack on a test environment and verifying that the request is blocked or fails.
Mettre à jour vers la version 8.3.14, ou une version corrigée plus récente
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-31413 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Element Pack Elementor Addons versions 0.0.0–8.3.13, allowing attackers to perform unauthorized actions.
You are affected if you are using Element Pack Elementor Addons versions 0.0.0 through 8.3.13. Upgrade to 8.3.14 or later to mitigate the risk.
Upgrade Element Pack Elementor Addons to version 8.3.14 or later. Consider temporary workarounds like CSRF tokens or a WAF if immediate upgrade is not possible.
There is currently no indication of active exploitation campaigns, but public PoCs may emerge, increasing the risk.
Refer to the official Element Pack Elementor Addons website or their security advisory page for the latest information and updates regarding CVE-2025-31413.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.