CVE-2025-14155 is an unauthenticated information disclosure vulnerability in Premium Addons for Elementor – Powerful Elementor Templates & Widgets, where an external attacker can retrieve the rendered HTML of Elementor templates that were never meant to be publicly readable. The root cause as a missing capability check in the plugin’s get_template_content function, enabling unauthenticated attackers to view the contents of private, draft, and pending templates in all versions up to and including 4.11.53. This matters in real deployments because Elementor templates often contain unpublished landing pages, internal copy, experiment variants, marketing plans, gated offers, or “coming soon” pages that site owners assume are only visible inside the editor/dashboard until explicitly published or embedded.
| CVE | CVE-2025-14155 |
| Plugin Version | Premium Addons for Elementor <= 4.11.53 |
| All Time | 57 894 631 |
| Active installations | 700 000+ |
| Publicly Published | December 23, 2025 |
| Last Updated | December 23, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14155 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/premium-addons-for-elementor/premium-addons-for-elementor-41153-missing-authorization-to-unauthenticated-sensitive-information-exposure-via-get-template-content https://t.me/cleantalk_researches/371 |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| December 1, 2025 | Plugin testing and vulnerability detection in the Premium Addons for Elementor have been completed |
| December 1, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| December 23, 2025 | Registered CVE-2025-14155 |
Discovery of the Vulnerability
The vulnerable surface is an AJAX endpoint exposed to unauthenticated users through the WordPress admin-ajax.phpinterface, specifically via an nopriv action that does not require a logged-in session. NVD’s description indicates that the plugin fails to enforce the authorization boundary that should separate public visitors from internal template assets, and that exploitation is as simple as supplying an attacker-controlled identifier for the template to be rendered and returned. Wordfence’s vulnerability database entry for CVE-2025-14155 aligns with this assessment, explicitly framing it as “Missing Authorization to Unauthenticated Sensitive Information Exposure via get_template_content” and confirming that the issue was tracked and later patched.
Understanding of Missing Authorization attack’s
In WordPress, “sensitive data exposure” is not limited to obvious secrets like passwords or API keys; unpublished content itself can be sensitive when it reveals future announcements, pricing changes, partner names, internal campaigns, or operational details that are time-critical. Elementor templates are especially valuable targets because they are frequently used as reusable design “building blocks” and often store complete page sections or entire pages that are not yet published, sometimes including tracking identifiers, hidden CTAs, A/B test variants, or placeholder content that reveals business intent. CVE-2025-14155 breaks the expected content lifecycle by allowing unauthenticated users to pull rendered HTML directly, which can expose text, links, assets, and structural hints even when the template is not referenced by any public URL. NVD explicitly notes that private/draft/pending templates are exposed, which is exactly where organizations tend to keep pre-release and internal-only material.
Exploiting the Missing Authorization Vulnerability
To exploit CVE-2025-14155, an attacker without cookies:
POC:
curl 'http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=get_elementor_template_content&templateID=168&is_id=true'____
The most realistic abuse pattern is content reconnaissance that becomes business-impacting long before it becomes “technical.” Attackers can extract unpublished landing pages and use them for competitor intelligence, early disclosure/leaks, phishing kits tailored to real upcoming campaigns, or reputational damage by publicizing internal drafts and mistakes. On e-commerce and marketing sites, pre-release templates can reveal seasonal promotions, discount codes embedded in links, planned product categories, or partner integrations that were not publicly announced; on media sites, templates can reveal embargoed topics and scheduled features. The risk is magnified by how easy it is to automate: the endpoint enables straightforward ID iteration and bulk extraction of rendered HTML, and the attacker does not need to authenticate, steal a cookie, or bypass any interactive UI controls. Wordfence’s classification of this as “Unauthenticated Sensitive Information Exposure” matches the operational reality: the data is sensitive because it is assumed to be non-public, not because it is necessarily secret in a cryptographic sense.
Recommendations for Improved Security
The primary mitigation is to update to a fixed version beyond the affected range, since CVE-2025-14155 impacts versions up to and including 4.11.53 per NVD and downstream advisories. From a defensive engineering standpoint, the correct fix is to remove unauthenticated access entirely for this route and enforce a strict capability requirement (for example, requiring authentication plus an appropriate edit_posts/Elementor template editing capability) before returning any template content, especially for templates not publicly published. It is also important to treat nonce checks as request-integrity controls rather than authorization: the core failure here is that the endpoint allows public access to an internal renderer, so capability checks must be the first line of defense. As compensating controls while patching, site owners can add WAF rules blocking requests to admin-ajax.php with action=get_elementor_template_content, and they should assume that any sensitive unpublished templates may already have been exposed and review drafts for information that should not be public.
By taking proactive measures to address Missing Authorization vulnerabilities like CVE-2025-14155 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #MissingAuth #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.