Vulnerability Description
The Premium Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.11.53. This is due to missing nonce validation in the 'insert_inner_template' function. This makes it possible for unauthenticated attackers to create arbitrary Elementor templates via a forged request granted they can trick a site administrator or other user with the edit_posts capability into performing an action such as clicking on a link.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Leap13 | Premium Addons For Elementor | < 4.11.54 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/tags/4.1Product
- https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/tags/4.1Product
- https://plugins.trac.wordpress.org/changeset/3416254/Patch
- https://research.cleantalk.org/cve-2025-14163/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/77b57f2a-0b46-4b4a-bdcThird Party Advisory
FAQ
What is CVE-2025-14163?
CVE-2025-14163 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The Premium Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.11.53. This is due to missing nonce validation in the 'insert_...
How severe is CVE-2025-14163?
CVE-2025-14163 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-14163?
Check the references section above for vendor advisories and patch information. Affected products include: Leap13 Premium Addons For Elementor.