Description
The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the get_content_editor function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to create published Xpro templates.
Published: 2026-05-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing capability check in the get_content_editor function of the Xpro Addons plugin for Elementor allows unauthenticated users to create and publish Xpro templates. The flaw is a classic missing authorization error (CWE‑862), giving attackers the ability to inject content into the site from outside the normal permission model. This can be used to display arbitrary or malicious templates that compromise the site's appearance and trust integrity.

Affected Systems

The issue affects all versions of Xpro Addons for Elementor up to and including 1.5.0. Administrators using WordPress sites with this plugin installed are therefore exposed until a newer, patched release is applied.

Risk and Exploitability

The CVSS score of 5.3 places the vulnerability in the moderate range. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, suggesting it has not yet been widely exploited. Attackers can exploit the flaw over the web interface without authentication, creating harmless or malicious templates. The lack of a pre‑authentication barrier increases the likelihood of exploitation compared to higher‑privilege attacks, but the impact remains localized to content authority rather than system compromise.

Generated by OpenCVE AI on May 20, 2026 at 04:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Xpro Addons plugin to a version that includes the capability check (at least 1.5.1).
  • If an update is not yet available, disable the template creation feature or uninstall the plugin until the fix is released.
  • Ensure that WordPress role and capability settings restrict template publishing to privileged administrators, reviewing any custom role plugins that might grant extra capabilities.

Generated by OpenCVE AI on May 20, 2026 at 04:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 05:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Xpro
Xpro xpro Addons — 140+ Widgets For Elementor
Vendors & Products Wordpress
Wordpress wordpress
Xpro
Xpro xpro Addons — 140+ Widgets For Elementor

Wed, 20 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the get_content_editor function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to create published Xpro templates.
Title Xpro Addons — 140+ Widgets for Elementor <= 1.5.0 - Missing Authorization to Unauthenticated Xpro Template Creation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Xpro Xpro Addons — 140+ Widgets For Elementor
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T17:14:35.655Z

Reserved: 2025-12-30T17:15:11.329Z

Link: CVE-2025-15369

cve-icon Vulnrichment

Updated: 2026-05-20T17:14:18.150Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T04:16:42.597

Modified: 2026-05-20T13:54:54.890

Link: CVE-2025-15369

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T05:30:05Z

Weaknesses