WordPress Anant Addons for Elementor plugin <= 1.1.8 - Vulnerabilidade de CSRF para Instalação Arbitrária de Plugin
Plataforma
wordpress
Componente
anant-addons-for-elementor
Corrigido em
1.1.9
CVE-2025-32641 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Anant Addons for Elementor, a plugin for the Elementor page builder. This flaw allows an attacker to trick a logged-in user into unknowingly executing malicious actions, potentially leading to unauthorized modifications to the website. The vulnerability impacts versions from 0.0.0 up to and including 1.1.8, with a fix available in version 1.1.6.
Detecte esta CVE no seu projeto
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Impacto e Cenários de Ataquetraduzindo…
A successful CSRF attack can have significant consequences for websites using Anant Addons for Elementor. An attacker could leverage this vulnerability to modify website content, change user roles and permissions, or even delete critical data. The attacker does not need to authenticate to exploit the vulnerability; they only need to trick a legitimate user into visiting a malicious link or page. This could be achieved through phishing emails, malicious advertisements, or compromised third-party websites. The blast radius extends to any user with access to the affected plugin, making it a widespread concern for Elementor-based websites.
Contexto de Exploraçãotraduzindo…
CVE-2025-32641 was published on April 9, 2025. As of this date, there are no publicly known active campaigns exploiting this specific vulnerability. No KEV or EPSS score is currently assigned. While no public Proof-of-Concept (PoC) code has been released, the CSRF nature of the vulnerability makes it relatively easy to exploit, increasing the likelihood of future exploitation attempts.
Inteligência de Ameaças
Status do Exploit
EPSS
0.12% (percentil 31%)
CISA SSVC
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Nenhum — sem autenticação necessária para explorar.
- User Interaction
- Necessária — a vítima deve abrir um arquivo, clicar em um link ou visitar uma página.
- Scope
- Alterado — o ataque pode pivotar para além do componente vulnerável.
- Confidentiality
- Alto — perda total de confidencialidade. O atacante pode ler todos os dados.
- Integrity
- Alto — o atacante pode escrever, modificar ou excluir qualquer dado.
- Availability
- Alto — falha completa ou esgotamento de recursos. Negação de serviço total.
Software Afetado
Informações do pacote
- Instalações ativas
- 800Nicho
- Avaliação do plugin
- 0.0
- Requer WordPress
- 6.7+
- Compatível até
- 6.9.4
- Requer PHP
- 7.4+
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
- Modificada
- EPSS atualizado
Mitigação e Soluções Alternativastraduzindo…
The primary mitigation for CVE-2025-32641 is to immediately upgrade Anant Addons for Elementor to version 1.1.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. These rules can help to detect and block malicious requests. Additionally, ensure that all user input is properly validated and sanitized to prevent other potential vulnerabilities. After upgrading, verify the fix by attempting to trigger a CSRF attack on a test environment to confirm that the protection is effective.
Como corrigirtraduzindo…
Actualice el plugin Anant Addons for Elementor a la última versión disponible para mitigar la vulnerabilidad de CSRF que permite la instalación arbitraria de plugins. Verifique las actualizaciones disponibles en el panel de administración de WordPress o en el repositorio de plugins de WordPress.
Boletim de Segurança CVE
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
Perguntas frequentestraduzindo…
What is CVE-2025-32641 — CSRF in Anant Addons for Elementor?
CVE-2025-32641 is a CRITICAL Cross-Site Request Forgery (CSRF) vulnerability affecting Anant Addons for Elementor. It allows attackers to perform unauthorized actions on a user's account without their knowledge.
Am I affected by CVE-2025-32641 in Anant Addons for Elementor?
You are affected if you are using Anant Addons for Elementor versions 0.0.0 through 1.1.8. Upgrade to 1.1.6 or later to mitigate the risk.
How do I fix CVE-2025-32641 in Anant Addons for Elementor?
The recommended fix is to upgrade Anant Addons for Elementor to version 1.1.6 or a later version. As a temporary workaround, implement a WAF with CSRF protection rules.
Is CVE-2025-32641 being actively exploited?
As of April 9, 2025, there are no publicly known active campaigns exploiting this vulnerability, but the ease of exploitation suggests potential future attacks.
Where can I find the official Anant Addons advisory for CVE-2025-32641?
Refer to the Anant Addons website and Elementor's security advisory channels for the official advisory regarding CVE-2025-32641.
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.