Description
Cross-Site Request Forgery (CSRF) vulnerability in quomodosoft ElementsReady Addons for Elementor element-ready-lite allows Cross Site Request Forgery.This issue affects ElementsReady Addons for Elementor: from n/a through <= 6.6.2.
Published: 2025-04-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw in the quomodosoft ElementsReady Addons for Elementor plugin (element‑ready-lite), identified as CWE‑352. An attacker who can trick an authenticated administrator or user into visiting a crafted URL can cause the browser to send privileged requests to the plugin’s endpoints, enabling unauthorized actions such as changing settings or triggering operations without the user’s consent.

Affected Systems

WordPress sites running the ElementsReady Addons for Elementor plugin from any version through 6.6.2 are affected. The issue was identified in all releases up to and including 6.6.2. No more recent versions were noted to contain the flaw.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to require a user to be logged in to the site and visit a maliciously crafted link; the plugin’s lack of CSRF protection allows the attacker’s request to be performed with the victim’s credentials.

Generated by OpenCVE AI on May 1, 2026 at 10:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ElementsReady Addons for Elementor plugin to the latest version where the CSRF fix is applied.
  • If an update is not immediately possible, restrict access to the plugin’s administrative interfaces and disable or block the vulnerable endpoints for unauthenticated users.
  • Implement or enforce a generic CSRF protection mechanism, such as ensuring that all state‑changing requests include a secure nonce token.

Generated by OpenCVE AI on May 1, 2026 at 10:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11326 Cross-Site Request Forgery (CSRF) vulnerability in quomodosoft ElementsReady Addons for Elementor allows Cross Site Request Forgery. This issue affects ElementsReady Addons for Elementor: from n/a through 6.6.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in quomodosoft ElementsReady Addons for Elementor allows Cross Site Request Forgery. This issue affects ElementsReady Addons for Elementor: from n/a through 6.6.2. Cross-Site Request Forgery (CSRF) vulnerability in quomodosoft ElementsReady Addons for Elementor element-ready-lite allows Cross Site Request Forgery.This issue affects ElementsReady Addons for Elementor: from n/a through <= 6.6.2.
Title WordPress ElementsReady Addons for Elementor <= 6.6.2 - Cross Site Request Forgery (CSRF) Vulnerability WordPress ElementsReady Addons for Elementor plugin <= 6.6.2 - Cross Site Request Forgery (CSRF) Vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 16 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in quomodosoft ElementsReady Addons for Elementor allows Cross Site Request Forgery. This issue affects ElementsReady Addons for Elementor: from n/a through 6.6.2.
Title WordPress ElementsReady Addons for Elementor <= 6.6.2 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:07:18.435Z

Reserved: 2025-04-16T06:24:47.078Z

Link: CVE-2025-39546

cve-icon Vulnrichment

Updated: 2025-04-16T13:43:23.775Z

cve-icon NVD

Status : Deferred

Published: 2025-04-16T13:15:47.457

Modified: 2026-04-23T15:29:45.937

Link: CVE-2025-39546

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T10:15:17Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)