CVE-2025-14155
Unauthorized Data Access in Premium Addons for Elementor Plugin
Publication date: 2025-12-23
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| premium_addons | premium_addons_for_elementor | 4.11.53 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Premium Addons for Elementor WordPress plugin (up to version 4.11.53) where a missing capability check on the 'get_template_content' function allows unauthenticated attackers to access the content of private, draft, and pending Elementor templates. Essentially, attackers can view template content they should not have permission to see because the plugin does not properly verify user permissions before providing this data.
How can this vulnerability impact me? :
The impact of this vulnerability is that unauthorized users can view sensitive or private template content within the Elementor plugin. This could lead to exposure of unpublished or confidential design templates, potentially revealing business logic, proprietary designs, or other sensitive information that was intended to remain private.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized access to private, draft, and pending templates via the 'get_template_content' function due to a missing capability check. Detection can involve monitoring for unauthorized AJAX requests targeting Elementor template content endpoints or unusual access patterns to template data. Specific commands are not provided in the resources, but network monitoring tools could be used to detect suspicious HTTP requests to the plugin's AJAX handlers. Additionally, checking plugin version (if version is 4.11.53 or earlier) can help identify vulnerable installations. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Premium Addons for Elementor plugin to version 4.11.54 or later, where the vulnerability has been fixed. This update includes the necessary capability checks to prevent unauthorized access to template content. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to access private, draft, and pending templates, potentially exposing sensitive or personal data stored within those templates. Such unauthorized data exposure could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access. [3]