Premium Addons for Elementor Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Premium Addons for Elementor plugin for WordPress, affecting all versions through 4.11.53. The vulnerability arises from inadequate nonce validation in the 'insert_inner_template' function, allowing unauthenticated attackers to create arbitrary Elementor templates. Exploitation requires tricking a site administrator or a user with the 'edit_posts' capability into clicking a link that initiates the forged request.

Impact

Exploitation of this vulnerability could lead to unauthorized creation of Elementor templates on the affected WordPress site.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to the 'insert_inner_template' function without a valid nonce. This can be done by tricking an administrator or a user with the 'edit_posts' capability into clicking a link that activates the request. The absence of nonce validation allows the request to be processed, resulting in the creation of a new Elementor template as specified in the request.

Remediation

Users are advised to update the Premium Addons for Elementor plugin to version 4.11.54 or later.