CVE-2025-1639
📋 TL;DR
The Animation Addons for Elementor Pro WordPress plugin has a vulnerability that allows authenticated attackers with Subscriber-level access or higher to install and activate arbitrary plugins. This can lead to further compromise of vulnerable WordPress sites, particularly when Elementor itself is not activated. All sites using this plugin up to version 1.6 are affected.
💻 Affected Systems
- Animation Addons for Elementor Pro WordPress plugin
📦 What is this software?
Arolax by Crowdytheme
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full control of the WordPress site by installing malicious plugins that provide backdoors, execute arbitrary code, or steal sensitive data, potentially leading to complete system compromise.
Likely Case
Attackers install plugins that create persistent backdoors, inject malicious content, or establish footholds for further attacks, leading to data theft, defacement, or malware distribution.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized plugin installations that can be detected and removed before significant damage occurs.
🎯 Exploit Status
Exploitation requires authenticated access (Subscriber role or higher). Public proof-of-concept exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.6
Vendor Advisory: https://themeforest.net/item/arolax-creative-digital-agency-theme/53547630
Restart Required: No
Instructions:
1. Update Animation Addons for Elementor Pro plugin to latest version (above 1.6). 2. Verify update through WordPress admin panel. 3. Test plugin functionality after update.
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily disable or remove the Animation Addons for Elementor Pro plugin until patched version is available
wp plugin deactivate animation-addons-for-elementor-pro
wp plugin delete animation-addons-for-elementor-pro
Restrict user roles
allLimit user accounts with Subscriber role or review and remove unnecessary accounts
wp user list --role=subscriber --field=ID
wp user delete [USER_ID] --reassign=[ADMIN_ID]
🧯 If You Can't Patch
- Disable or remove the Animation Addons for Elementor Pro plugin immediately
- Implement strict access controls and monitor for unauthorized plugin installations
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel for plugin version. If Animation Addons for Elementor Pro is installed and version is 1.6 or lower, the site is vulnerable.Check Version:
wp plugin get animation-addons-for-elementor-pro --field=versionVerify Fix Applied:
Verify plugin version is above 1.6 in WordPress admin panel. Test that authenticated users cannot install plugins without proper permissions.📡 Detection & Monitoring
Log Indicators:
- WordPress plugin installation logs from non-admin users
- Unexpected plugin activation events
- HTTP POST requests to plugin installation endpoints from low-privilege users
Network Indicators:
- HTTP requests to /wp-admin/admin-ajax.php with action=install_elementor_plugin_handler from authenticated non-admin users
SIEM Query:
source="wordpress" AND (event="plugin_installed" OR event="plugin_activated") AND user_role!="administrator"