Description
The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_template_content' function in all versions up to, and including, 4.11.53. This makes it possible for unauthenticated attackers to view the content of private, draft, and pending templates.
Published: 2025-12-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Sensitive Information Exposure
Action: Apply Patch
AI Analysis

Impact

The Premium Addons for Elementor plugin contains a flaw in its get_template_content function where a required capability check is missing. Because this check is not performed, any visitor to the site can request the content of templates that are marked as private, draft or pending. The flaw therefore allows the disclosure of confidential design details and metadata stored in these templates, compromising the confidentiality of template data.

Affected Systems

WordPress installations that have the leap13 Premium Addons for Elementor plugin installed, specifically any version up to and including 4.11.53, are affected. Installations using newer versions of the plugin are not impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity level for this vulnerability. The EPSS score is reported as less than 1%, suggesting that the likelihood of exploitation is currently low. The vulnerability is not listed in CISA's KEV catalog, and no publicly documented exploits exist as of the available information. An attacker can typically trigger the flaw by sending a simple HTTP request to the endpoint that invokes get_template_content, making the attack vector remote and unauthenticated. Since the flaw permits disclosure rather than privilege escalation, the impact is limited to information leakage.

Generated by OpenCVE AI on April 22, 2026 at 20:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Premium Addons for Elementor plugin to a version newer than 4.11.53, which removes the missing capability check in get_template_content.
  • If an immediate upgrade is not feasible, restrict unauthenticated access to the get_template_content endpoint, for example by adding a capability requirement through a WordPress hook or blocking the request via .htaccess rules.
  • Ensure that all Elementor templates are set to private or unpublished when they are not intended for public viewing and periodically audit template visibility settings to verify they have not been exposed unintentionally.

Generated by OpenCVE AI on April 22, 2026 at 20:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:leap13:premium_addons_for_elementor:*:*:*:*:*:wordpress:*:*

Tue, 23 Dec 2025 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor
Leap13
Leap13 premium Addons
Leap13 premium Addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor
Leap13
Leap13 premium Addons
Leap13 premium Addons For Elementor
Wordpress
Wordpress wordpress

Tue, 23 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_template_content' function in all versions up to, and including, 4.11.53. This makes it possible for unauthenticated attackers to view the content of private, draft, and pending templates.
Title Premium Addons for Elementor <= 4.11.53 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'get_template_content'
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Elementor Elementor
Leap13 Premium Addons Premium Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:38.336Z

Reserved: 2025-12-05T20:29:05.837Z

Link: CVE-2025-14155

cve-icon Vulnrichment

Updated: 2025-12-23T15:29:32.248Z

cve-icon NVD

Status : Modified

Published: 2025-12-23T10:15:43.297

Modified: 2026-04-08T17:20:24.867

Link: CVE-2025-14155

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:30:26Z

Weaknesses