CVE-2025-14163
📋 TL;DR
This CSRF vulnerability in the Premium Addons for Elementor WordPress plugin allows unauthenticated attackers to create arbitrary Elementor templates by tricking administrators into clicking malicious links. All WordPress sites using this plugin up to version 4.11.53 are affected. Attackers can inject malicious templates that could lead to further compromise.
💻 Affected Systems
- Premium Addons for Elementor WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers create malicious templates containing JavaScript payloads that execute when viewed, potentially leading to site takeover, data theft, or malware distribution to visitors.
Likely Case
Attackers inject spam content, redirects, or defacement templates that appear on the website, damaging reputation and SEO.
If Mitigated
With proper CSRF protections and user awareness, exploitation requires social engineering that may be detected before damage occurs.
🎯 Exploit Status
Exploitation requires social engineering to trick administrators, but the technical complexity is low once the victim interacts with the malicious link.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.11.54 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3416254/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Premium Addons for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download version 4.11.54+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable function via filter
allAdd WordPress filter to disable the vulnerable insert_inner_template function
Add to theme's functions.php or custom plugin: add_filter('premium_addons_elementor_templates_enabled', '__return_false');
🧯 If You Can't Patch
- Temporarily deactivate the Premium Addons for Elementor plugin until patched
- Implement strict Content Security Policy (CSP) headers to limit script execution from unauthorized sources
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for Premium Addons for Elementor version. If version is 4.11.53 or lower, you are vulnerable.Check Version:
wp plugin get premium-addons-for-elementor --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify the plugin version shows 4.11.54 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=premium_inner_template_insert
- Multiple template creation events from single user sessions
- Administrator accounts creating templates shortly after clicking external links
Network Indicators:
- Outbound calls to suspicious domains in newly created templates
- Unexpected iframe or script injections in template content
SIEM Query:
source="wordpress.log" AND "premium_inner_template_insert" AND status=200🔗 References
- https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/tags/4.11.53/includes/templates/classes/manager.php#L246
- https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/tags/4.11.53/includes/templates/classes/manager.php#L40
- https://plugins.trac.wordpress.org/changeset/3416254/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/77b57f2a-0b46-4b4a-bdca-1c5218d739ce?source=cve
