Description
The Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.1.7. This is due to missing or incorrect nonce validation on the bdfe_install_activate_rswpbs_only function. This makes it possible for unauthenticated attackers to install the 'rs-wp-books-showcase' plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-09-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated plugin installation via CSRF
Action: Update Plugin
AI Analysis

Impact

The vulnerability resides in the Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid plugin for WordPress. An unauthenticated attacker can cause the vulnerable BDFE endpoint to install the third‑party 'rs-wp-books-showcase' plugin by sending a forged request that bypasses nonce validation. The result is that the plugin is added to the site without the administrator’s knowledge, potentially exposing the site to malicious code from the newly installed plugin.

Affected Systems

WordPress sites using the mdimran41 Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid plugin 1.1.7 or earlier are affected. Site administrators must review the installed plugins and ensure that this plugin version is not in use; if it is, they should update or remove it.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a crafted link presented to a site administrator that, when clicked, submits a CSRF request to the vulnerable endpoint; no authentication is required for the attacker, but social engineering is necessary to get an admin to trigger it.

Generated by OpenCVE AI on April 20, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid plugin to the latest version that includes nonce validation.
  • If the rs-wp-books-showcase plugin has already been installed via this flaw, uninstall it from the site.
  • Enable a WordPress security measure that enforces nonce validation on all admin actions, such as a dedicated security plugin that blocks CSRF attacks and restricts plugin installations to authenticated users only.

Generated by OpenCVE AI on April 20, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27649 The Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.1.7. This is due to missing or incorrect nonce validation on the bdfe_install_activate_rswpbs_only function. This makes it possible for unauthenticated attackers to install the 'rs-wp-books-showcase' plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Fri, 12 Sep 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor
Mdimran41
Mdimran41 blog Designer For Elementor Plugin
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor
Mdimran41
Mdimran41 blog Designer For Elementor Plugin
Wordpress
Wordpress wordpress

Thu, 11 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Sep 2025 07:30:00 +0000

Type Values Removed Values Added
Description The Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.1.7. This is due to missing or incorrect nonce validation on the bdfe_install_activate_rswpbs_only function. This makes it possible for unauthenticated attackers to install the 'rs-wp-books-showcase' plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid <= 1.1.7 - Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Elementor Elementor
Mdimran41 Blog Designer For Elementor Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:53.178Z

Reserved: 2025-08-01T17:41:03.395Z

Link: CVE-2025-8481

cve-icon Vulnrichment

Updated: 2025-09-11T13:44:49.258Z

cve-icon NVD

Status : Deferred

Published: 2025-09-11T08:15:34.637

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8481

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:00:11Z

Weaknesses