CVE-2025-14155 – This vulnerability allows unauthenticated attac... (How to Fix)

📋 TL;DR

This vulnerability allows unauthenticated attackers to view private, draft, and pending Elementor templates in WordPress sites using the Premium Addons for Elementor plugin. Any WordPress site running the vulnerable plugin version is affected. Attackers can access sensitive template content without authentication.

💻 Affected Systems

Products:

Premium Addons for Elementor – Powerful Elementor Templates & Widgets

Versions: All versions up to and including 4.11.53

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress sites with the Premium Addons for Elementor plugin installed and activated.

📦 What is this software?

Premium Addons For Elementor by Leap13

View all CVEs affecting Premium Addons For Elementor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers exfiltrate unpublished content, proprietary templates, or sensitive information embedded in draft templates, potentially leading to intellectual property theft or content manipulation.

🟠

Likely Case

Attackers view unpublished content and templates, gaining insight into upcoming site changes or accessing draft content not intended for public viewing.

🟢

If Mitigated

Limited exposure of draft content with no authentication bypass or code execution capabilities.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is simple to exploit via direct API calls to the vulnerable function without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.11.54 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3416254/

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Premium Addons for Elementor'
4. Click 'Update Now' if available
5. If not available, download version 4.11.54+ from WordPress.org and manually update

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Premium Addons for Elementor plugin until patched

wp plugin deactivate premium-addons-for-elementor

Restrict access via WAF

all

Block requests to the vulnerable endpoint using web application firewall rules

🧯 If You Can't Patch

Implement strict network access controls to limit who can access the WordPress admin interface
Monitor for unusual access patterns to template-related endpoints in web server logs

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 4.11.53 or lower, you are vulnerable.

Check Version:

wp plugin get premium-addons-for-elementor --field=version

Verify Fix Applied:

Verify plugin version is 4.11.54 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-admin/admin-ajax.php with action=get_template_content from unauthenticated users
Multiple failed authentication attempts followed by template content requests

Network Indicators:

HTTP requests to admin-ajax.php with get_template_content parameter from external IPs without authentication cookies

SIEM Query:

source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND post_data="action=get_template_content" AND NOT cookie="wordpress_logged_in"

📊 Metadata

CVE ID: CVE-2025-14155

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-862

EPSS Score: 1.15% exploit probability (78.2th percentile)

Published: December 23, 2025

Last Updated: January 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14155, you might also want to check these: