CVE-2025-14163
Unknown Unknown - Not Provided
CSRF in Premium Addons for Elementor Enables Template Injection

Publication date: 2025-12-23

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The Premium Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.11.53. This is due to missing nonce validation in the 'insert_inner_template' function. This makes it possible for unauthenticated attackers to create arbitrary Elementor templates via a forged request granted they can trick a site administrator or other user with the edit_posts capability into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-23
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2025-12-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14163
EUVD
EUVD-2025-204783
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
premium_addons premium_addons_for_elementor 4.11.53
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Premium Addons for Elementor WordPress plugin (up to version 4.11.53). It occurs because the 'insert_inner_template' function lacks nonce validation, allowing unauthenticated attackers to trick users with the 'edit_posts' capability (like site administrators) into performing actions such as creating arbitrary Elementor templates via forged requests. [1]

Impact Analysis

An attacker can exploit this vulnerability to create arbitrary Elementor templates on a vulnerable WordPress site by tricking an authorized user into executing a forged request. This can lead to unauthorized content insertion or manipulation within the site, potentially affecting site integrity and user trust. [1]

Detection Guidance

This vulnerability can be detected by checking if the Premium Addons for Elementor plugin version is 4.11.53 or earlier and by monitoring for unauthorized AJAX requests to the 'insert_inner_template' action without proper nonce validation. You can look for suspicious POST requests to admin-ajax.php with the action 'premium_inner_template' that do not include valid nonce tokens. A sample command to detect such requests in web server logs could be: `grep 'action=premium_inner_template' /var/log/apache2/access.log` or using a network monitoring tool to filter HTTP POST requests to admin-ajax.php containing 'premium_inner_template'. Additionally, inspecting WordPress user activity logs for unexpected template insertions by users with 'edit_posts' capability may help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include updating the Premium Addons for Elementor plugin to a version later than 4.11.53 where the nonce validation issue is fixed. If an update is not immediately available, restrict access to users with 'edit_posts' capability and monitor or block suspicious AJAX requests to 'premium_inner_template'. Implementing Web Application Firewall (WAF) rules to block forged requests targeting this AJAX action can also help. Additionally, educating site administrators to avoid clicking on suspicious links that could trigger CSRF attacks is recommended. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14163. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart