Description
The Premium Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.11.53. This is due to missing nonce validation in the 'insert_inner_template' function. This makes it possible for unauthenticated attackers to create arbitrary Elementor templates via a forged request granted they can trick a site administrator or other user with the edit_posts capability into performing an action such as clicking on a link.
Published: 2025-12-23
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery enabling unauthorized creation of Elementor templates
Action: Apply Patch
AI Analysis

Impact

The Premium Addons for Elementor plugin for WordPress, up to version 4.11.53, suffers from a Cross‑Site Request Forgery (CWE‑352) due to missing nonce validation in the 'insert_inner_template' function. An unauthenticated attacker who can persuade an administrator or a user with edit_posts capability to follow a crafted link can have the site create arbitrary Elementor templates. These templates may embed malicious content or scripts, potentially leading to site defacement or a vector for further code execution when the templates are activated.

Affected Systems

Affected product is the leap13 Premium Addons for Elementor plugin for WordPress. All releases through version 4.11.53 are vulnerable. The plugin is commonly used with Elementor on WordPress sites and is distributed via the WordPress plugin repository.

Risk and Exploitability

The CVSS score of 4.3 marks this vulnerability as moderate. An EPSS score of less than 1% indicates a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an attacker to supply a forged request to the plugin's insert_inner_template endpoint and compel a user with edit capability to click the link. Because nonce checks are omitted, the action is executed automatically, making the exploit simple once the social engineering precondition is satisfied.

Generated by OpenCVE AI on April 21, 2026 at 16:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Premium Addons for Elementor to a version newer than 4.11.53 to remove the missing nonce check.
  • Restrict the edit_posts capability to trusted administrators and verify that users are not tricked into clicking malicious links.
  • If an immediate upgrade is not feasible, temporarily disable the plugin or block the insert_inner_template endpoint using a web‑application firewall or by modifying the .htaccess rules.

Generated by OpenCVE AI on April 21, 2026 at 16:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:leap13:premium_addons_for_elementor:*:*:*:*:*:wordpress:*:*

Tue, 23 Dec 2025 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Leap13
Leap13 premium Addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Leap13
Leap13 premium Addons For Elementor
Wordpress
Wordpress wordpress

Tue, 23 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Premium Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.11.53. This is due to missing nonce validation in the 'insert_inner_template' function. This makes it possible for unauthenticated attackers to create arbitrary Elementor templates via a forged request granted they can trick a site administrator or other user with the edit_posts capability into performing an action such as clicking on a link.
Title Premium Addons for Elementor <= 4.11.53 - Cross-Site Request Forgery via 'insert_inner_template'
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Leap13 Premium Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:01:45.736Z

Reserved: 2025-12-05T21:07:02.189Z

Link: CVE-2025-14163

cve-icon Vulnrichment

Updated: 2025-12-23T15:27:01.403Z

cve-icon NVD

Status : Modified

Published: 2025-12-23T10:15:43.497

Modified: 2026-04-08T18:24:08.443

Link: CVE-2025-14163

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:00:12Z

Weaknesses