The vulnerability is a Cross‑Site Request Forgery flaw in the Anant Addons for Elementor plugin. Based on the description, it is inferred that the flaw allows an authenticated WordPress user to trigger the installation of any plugin without a proper CSRF token. This flaw, identified as CWE‑352, enables a malicious actor to supply a crafted plugin package that will be installed with the full privileges of the user performing the request.

The flaw affects every release of the Anant Addons for Elementor plugin from the earliest version up through 1.1.8 inclusive. Versions 1.1.9 and newer contain the CSRF protection fix.

The EPSS score of less than 1% indicates a low probability of mass exploitation at present, yet the high CVSS suggests that a targeted attack could be devastating. Based on the description, the likely attack vector is an attacker delivering a forged request—such as a malicious link or form—to a logged‑in WordPress user; however, the CVE data does not explicitly confirm that an authenticated user is required. While no public exploit code exists, the logic is straightforward for an attacker with moderate skill, and the risk is magnified if a malicious plugin can execute code on the server. The vulnerability is not listed in the CISA KEV catalog.