Description
Server-Side Request Forgery (SSRF) vulnerability in TheInnovs ElementsCSS Addons for Elementor css-for-elementor allows Server Side Request Forgery.This issue affects ElementsCSS Addons for Elementor: from n/a through <= 1.0.8.9.
Published: 2025-04-01
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Server‑Side Request Forgery flaw that allows an attacker to send arbitrary HTTP requests from the target server. The weakness can be leveraged to access internal resources, exfiltrate data, or interact with services that the server has connectivity to. The attack capitalizes on the plugin’s handling of user‑supplied URLs without proper validation, classified under CWE‑918.

Affected Systems

The affected product is the ElementsCSS Addons for Elementor plugin from TheInnovs, version 1.0.8.9 and earlier. WordPress installations hosting this plugin are at risk unless the plugin is upgraded to a post‑1.0.8.9 release or removed.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score of <1% suggests the likelihood of exploitation is currently very low, and the vulnerability is not listed in CISA’s KEV catalog. However, the potential impact of SSRF—particularly if the target server can reach internal or privileged services—warrants prompt remediation. Attackers would need to craft a request to the vulnerable endpoint; no special privileges or authentication are required because the plugin typically processes user inputs from public or logged‑in sources.

Generated by OpenCVE AI on May 1, 2026 at 02:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ElementsCSS Addons for Elementor plugin to a version newer than 1.0.8.9 or uninstall the plugin entirely.
  • If an upgrade is not feasible, restrict external network access from the WordPress host using firewall rules to limit outbound HTTP/HTTPS traffic that the plugin may initiate.
  • As a temporary defensive measure, block or apply input validation to the plugin’s URL handling endpoints to prevent arbitrary request construction until a patch is available.

Generated by OpenCVE AI on May 1, 2026 at 02:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9243 Server-Side Request Forgery (SSRF) vulnerability in TheInnovs Team ElementsCSS Addons for Elementor allows Server Side Request Forgery. This issue affects ElementsCSS Addons for Elementor: from n/a through 1.0.8.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in TheInnovs Team ElementsCSS Addons for Elementor allows Server Side Request Forgery. This issue affects ElementsCSS Addons for Elementor: from n/a through 1.0.8.7. Server-Side Request Forgery (SSRF) vulnerability in TheInnovs ElementsCSS Addons for Elementor css-for-elementor allows Server Side Request Forgery.This issue affects ElementsCSS Addons for Elementor: from n/a through <= 1.0.8.9.
Title WordPress ElementsCSS Addons for Elementor plugin <= 1.0.8.7 - Server Side Request Forgery (SSRF) vulnerability WordPress ElementsCSS Addons for Elementor plugin <= 1.0.8.9 - Server Side Request Forgery (SSRF) vulnerability
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Tue, 01 Apr 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in TheInnovs Team ElementsCSS Addons for Elementor allows Server Side Request Forgery. This issue affects ElementsCSS Addons for Elementor: from n/a through 1.0.8.7.
Title WordPress ElementsCSS Addons for Elementor plugin <= 1.0.8.7 - Server Side Request Forgery (SSRF) vulnerability
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:00:46.069Z

Reserved: 2025-04-01T13:20:05.024Z

Link: CVE-2025-31796

cve-icon Vulnrichment

Updated: 2025-04-01T19:26:59.435Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:17.733

Modified: 2026-04-23T15:28:18.733

Link: CVE-2025-31796

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T02:15:06Z

Weaknesses