Description
The Animation Addons for Elementor Pro plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_elementor_plugin_handler() function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins which can be leveraged to further infect a victim when Elementor is not activated on a vulnerable site.
Published: 2025-03-04
Score: 8.8 High
EPSS: 11.1% Moderate
KEV: No
Impact: Unauthorized arbitrary plugin installation and activation with Subscriber-level access
Action: Patch Now
AI Analysis

Impact

The Animation Addons for Elementor Pro plugin fails to perform a capability check in its install_elementor_plugin_handler() function, allowing an attacker who has at least Subscriber privileges to install and activate any WordPress plugin. This flaw permits the immediate deployment of malicious code without further interaction, and since the vulnerability exists in all releases up to and including 1.6, it applies broadly to sites running those versions. The associated weakness is identified as CWE-862, indicating missing authentication or authorization checks.

Affected Systems

The affected product is the Animation Addons for Elementor Pro plugin published by crowdyTheme. Versions 1.6 and all earlier releases are impacted; no later versions are listed as vulnerable in the provided data.

Risk and Exploitability

The CVSS score of 8.8 reflects a high severity for this flaw, and the EPSS score of 11% suggests a measurable likelihood of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is inferred to be authenticated, with the attacker needing only to be logged in as a Subscriber or higher. Once authenticated, the attacker can invoke the vulnerable handler to upload any plugin package, leading to arbitrary code execution once the plugin is activated. No additional exploitation prerequisites are noted.

Generated by OpenCVE AI on April 20, 2026 at 23:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Animation Addons for Elementor Pro to version 1.7 or later, if available.
  • Restrict the Subscriber+ role from plugin installation and activation capabilities, or remove this role from users who do not require such permissions.
  • Audit all installed plugins for unexpected or malicious code and remove any that appear to have been introduced via the vulnerability.

Generated by OpenCVE AI on April 20, 2026 at 23:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7407 The Animation Addons for Elementor Pro plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_elementor_plugin_handler() function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins which can be leveraged to further infect a victim when Elementor is not activated on a vulnerable site.
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.17084}

 epss

{'score': 0.07732}

Wed, 05 Mar 2025 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Crowdytheme
Crowdytheme arolax
CPEs cpe:2.3:a:crowdytheme:arolax:*:*:*:*:*:wordpress:*:*
Vendors & Products Crowdytheme
Crowdytheme arolax

Tue, 04 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Animation Addons for Elementor Pro plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_elementor_plugin_handler() function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins which can be leveraged to further infect a victim when Elementor is not activated on a vulnerable site.
Title Animation Addons for Elementor Pro <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Crowdytheme Arolax
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:31.121Z

Reserved: 2025-02-24T17:04:42.711Z

Link: CVE-2025-1639

cve-icon Vulnrichment

Updated: 2025-03-04T15:33:56.131Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-04T04:15:11.697

Modified: 2025-03-05T16:39:15.917

Link: CVE-2025-1639

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:45:21Z

Weaknesses