Plataforma
wordpress
Componente
premium-addons-for-elementor
Corrigido em
4.11.54
A Cross-Site Request Forgery (CSRF) vulnerability exists in Premium Addons for Elementor, a WordPress plugin, impacting versions from 0.0.0 through 4.11.53. This flaw allows unauthenticated attackers to create arbitrary Elementor templates if they can manipulate users with the 'editposts' capability into performing actions. The vulnerability is due to missing nonce validation in the 'insertinner_template' function. A patch is available in version 4.11.54.
Successful exploitation of this CSRF vulnerability allows an attacker to create malicious Elementor templates on a WordPress site without authentication. This could lead to defacement of the website, injection of malicious code into templates, or even unauthorized modification of site content. The attacker needs to craft a malicious link or form that, when clicked or submitted by a vulnerable user, triggers the template creation. The impact is amplified if the targeted user has elevated privileges, such as a site administrator, granting the attacker greater control over the website’s appearance and functionality. This is similar to other CSRF vulnerabilities where user actions are performed without their knowledge.
This vulnerability was publicly disclosed on December 23, 2025. There is no indication of active exploitation campaigns at this time. No Proof-of-Concept (PoC) code has been publicly released. The vulnerability has not been added to the CISA KEV catalog. Severity is assessed as Medium based on the CVSS score.
WordPress websites using Premium Addons for Elementor, particularly those with multiple users having 'edit_posts' capabilities, are at risk. Shared hosting environments where users have limited control over plugin updates are also more vulnerable. Sites with legacy configurations or outdated security practices are especially susceptible.
• wordpress / composer / npm:
grep -r 'insert_inner_template' /var/www/html/wp-content/plugins/premium-addons-for-elementor/• wordpress / composer / npm:
wp plugin list --status=all | grep 'premium-addons-for-elementor'• wordpress / composer / npm:
wp plugin update premium-addons-for-elementor --alldisclosure
Status do Exploit
EPSS
0.02% (percentil 6%)
CISA SSVC
Vetor CVSS
The primary mitigation is to upgrade Premium Addons for Elementor to version 4.11.54 or later, which includes the necessary nonce validation to prevent CSRF attacks. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, restrict access to template creation functionalities to authorized users only. Regularly review user permissions and ensure the principle of least privilege is enforced. After upgrading, confirm the fix by attempting to create a template via a crafted CSRF request and verifying that the action is blocked.
Atualize para a versão 4.11.54, ou uma versão corrigida mais recente
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-14163 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Premium Addons for Elementor WordPress plugin versions 0.0.0–4.11.53, allowing attackers to create templates without authentication.
You are affected if your WordPress site uses Premium Addons for Elementor version 0.0.0 through 4.11.53. Check your plugin version and upgrade if necessary.
Upgrade Premium Addons for Elementor to version 4.11.54 or later. Consider implementing a WAF as an interim measure.
There is currently no evidence of active exploitation, but it's crucial to apply the patch to prevent potential future attacks.
Refer to the official Premium Addons for Elementor website or WordPress plugin repository for the latest advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.