CVE-2025-14155
Unknown Unknown - Not Provided

Unauthorized Data Access in Premium Addons for Elementor Plugin

Vulnerability report for CVE-2025-14155, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-23

Last updated on: 2026-04-08

Assigner: Wordfence

Description

The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_template_content' function in all versions up to, and including, 4.11.53. This makes it possible for unauthenticated attackers to view the content of private, draft, and pending templates.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-23
Last Modified
2026-04-08
Generated
2026-07-06
AI Q&A
2025-12-23
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
premium_addons premium_addons_for_elementor 4.11.53

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Premium Addons for Elementor WordPress plugin (up to version 4.11.53) where a missing capability check on the 'get_template_content' function allows unauthenticated attackers to access the content of private, draft, and pending Elementor templates. Essentially, attackers can view template content they should not have permission to see because the plugin does not properly verify user permissions before providing this data.

Impact Analysis

The impact of this vulnerability is that unauthorized users can view sensitive or private template content within the Elementor plugin. This could lead to exposure of unpublished or confidential design templates, potentially revealing business logic, proprietary designs, or other sensitive information that was intended to remain private.

Detection Guidance

This vulnerability involves unauthorized access to private, draft, and pending templates via the 'get_template_content' function due to a missing capability check. Detection can involve monitoring for unauthorized AJAX requests targeting Elementor template content endpoints or unusual access patterns to template data. Specific commands are not provided in the resources, but network monitoring tools could be used to detect suspicious HTTP requests to the plugin's AJAX handlers. Additionally, checking plugin version (if version is 4.11.53 or earlier) can help identify vulnerable installations. [3]

Mitigation Strategies

The immediate mitigation step is to update the Premium Addons for Elementor plugin to version 4.11.54 or later, where the vulnerability has been fixed. This update includes the necessary capability checks to prevent unauthorized access to template content. [1]

Compliance Impact

This vulnerability allows unauthenticated attackers to access private, draft, and pending templates, potentially exposing sensitive or personal data stored within those templates. Such unauthorized data exposure could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access. [3]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14155. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart