Cross-Site Request Forgery in Royal Elementor Addons and Templates Plugin for WordPress
CVE-2025-0393

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Royal Elementor Addons And Templates
Vendor: CVE Published:; 14 January 2025

What is CVE-2025-0393?

The Royal Elementor Addons and Templates plugin for WordPress is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability due to improper nonce validation in the wpr_filter_grid_posts() function. This flaw allows unauthenticated attackers to exploit the vulnerability by tricking site administrators into performing unintended actions, potentially enabling the injection of malicious scripts. The issue is present in all versions up to and including 1.7.1006, making it critical for users to update their installations to mitigate the risk of exploitation.

Affected Version(s)

Royal Elementor Addons and Templates * <= 1.7.1006

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/royal-elemento...

https://wordpress.org/plugins/royal-elementor-addons/#dev...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 14, 2025
Vulnerability Reserved
Jan 10, 2025

Credit

Matthew Rollings