CVE-2025-14155
Unknown Unknown - Not Provided
Unauthorized Data Access in Premium Addons for Elementor Plugin

Publication date: 2025-12-23

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_template_content' function in all versions up to, and including, 4.11.53. This makes it possible for unauthenticated attackers to view the content of private, draft, and pending templates.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-23
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2025-12-23
EPSS Evaluated
2026-06-14
NVD
CVE-2025-14155
EUVD
EUVD-2025-204785
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
premium_addons premium_addons_for_elementor 4.11.53
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Premium Addons for Elementor WordPress plugin (up to version 4.11.53) where a missing capability check on the 'get_template_content' function allows unauthenticated attackers to access the content of private, draft, and pending Elementor templates. Essentially, attackers can view template content they should not have permission to see because the plugin does not properly verify user permissions before providing this data.

Impact Analysis

The impact of this vulnerability is that unauthorized users can view sensitive or private template content within the Elementor plugin. This could lead to exposure of unpublished or confidential design templates, potentially revealing business logic, proprietary designs, or other sensitive information that was intended to remain private.

Detection Guidance

This vulnerability involves unauthorized access to private, draft, and pending templates via the 'get_template_content' function due to a missing capability check. Detection can involve monitoring for unauthorized AJAX requests targeting Elementor template content endpoints or unusual access patterns to template data. Specific commands are not provided in the resources, but network monitoring tools could be used to detect suspicious HTTP requests to the plugin's AJAX handlers. Additionally, checking plugin version (if version is 4.11.53 or earlier) can help identify vulnerable installations. [3]

Mitigation Strategies

The immediate mitigation step is to update the Premium Addons for Elementor plugin to version 4.11.54 or later, where the vulnerability has been fixed. This update includes the necessary capability checks to prevent unauthorized access to template content. [1]

Compliance Impact

This vulnerability allows unauthenticated attackers to access private, draft, and pending templates, potentially exposing sensitive or personal data stored within those templates. Such unauthorized data exposure could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14155. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart