Digital Marketing and Agency Templates Addons for Elementor Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Digital Marketing and Agency Templates Addons for Elementor plugin for WordPress, affecting all versions through 1.1.1. The vulnerability arises from inadequate nonce validation in the import_templates() function, allowing unauthenticated attackers to initiate an import by sending a forged request, provided they can persuade a site administrator to click a link or perform a similar action.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, where an attacker can trick a user into performing actions they did not intend to, potentially leading to unauthorized changes or data imports.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to the import_templates() function without a valid nonce. This can be done by tricking an administrator into clicking a link that activates the import process, such as through a phishing email or a malicious website.

Remediation

No known patch is available. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.