CVE-2025-1441
Published: 19 February 2025
Description
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1007. This is due to missing or incorrect nonce validation on the 'wpr_filter_woo_products' function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Security Summary
CVE-2025-1441, published on 2025-02-19, is a Cross-Site Request Forgery (CSRF) vulnerability classified under CWE-352, affecting the Royal Elementor Addons and Templates plugin for WordPress in all versions up to and including 1.7.1007. The flaw arises from missing or incorrect nonce validation in the 'wpr_filter_woo_products' function, which fails to properly verify requests.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity by tricking a site administrator into executing a forged request, such as clicking a malicious link. Exploitation enables the injection of malicious web scripts, leading to low impacts on confidentiality and integrity with a changed scope, as reflected in the CVSS v3.1 base score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Advisories indicate mitigation through updating to version 1.7.1008, where source code changes around line 1904 in the 'wpr-filter-woo-products.php' file address the nonce validation deficiency compared to line 1895 in the vulnerable 1.7.1007 tag. Further details are provided in Wordfence threat intelligence.
Details
- CWE(s)