CVE-2025-14163 – Premium Addons for Elementor – CSRF on Elementor Template Creation – POC

CVE-2025-14163 is a Cross Site Request Forgery weakness in Premium Addons for Elementor that turns a normal authenticated workflow into a silent action a victim performs on an attacker’s behalf. The core problem is simple but dangerous in real operations a logged in user can be tricked into creating a new Elementor template without clicking anything and without seeing a warning, because the plugin’s AJAX action accepts a state changing request that lacks any CSRF protection. Even though the action requires a user who has edit_posts, that still covers a wide range of common roles on real sites such as Author and Editor, which means this is not limited to administrators and can be triggered against typical editorial staff who routinely browse the web while logged in.

CVE	CVE-2025-14163
Plugin Version	Premium Addons for Elementor <= 4.11.53
All Time	57 894 631
Active installations	700 000+
Publicly Published	December 23, 2025
Last Updated	December 23, 2025
Researcher	Dmitrii Ignatyev
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14163 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/premium-addons-for-elementor/premium-addons-for-elementor-41153-cross-site-request-forgery-via-insert-inner-template https://t.me/cleantalk_researches/373
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

Get Plugin Security Certificate

PSC by Cleantalk

Timeline

Discovery of the Vulnerability

The vulnerable entry point is the authenticated AJAX action premium_inner_template implemented in the plugin’s template manager code, where the handler reads a template parameter, fetches content from the remote Premium API source, and if content is returned it creates a new elementor_library entry via wp_insert_post as a published template. The authorization check exists in the sense that the action verifies the victim has edit_posts, but the protection that matters for CSRF is missing because there is no nonce validation with check_ajax_referer or an equivalent control. This gap means the browser will automatically include the victim’s cookies when posting to wp-admin, so a third party website can drive a privileged state change inside WordPress simply by making the victim load an auto submitting form.

Understanding of CSRF attack’s

CSRF in WordPress is about confusing the server regarding user intent, not about bypassing login. WordPress relies heavily on nonces for request intent validation because cookies alone prove only that the user is authenticated, they do not prove the user meant to perform the action. When a plugin exposes an authenticated AJAX route that changes state and forgets nonce validation, it creates a classic trap where the attacker supplies parameters and the victim supplies authority. In editorial environments the impact is often underestimated, but it is very real because templates are shared infrastructure and once a template is created it can later be inserted into pages, reused by other editors, exported, or referenced in workflows where people assume the library reflects intentional actions by trusted staff.

Exploiting the CSRF Vulnerability

To exploit CVE-2025-14163, an attacker without cookies:

POC:

<html>
  <body>
    <form action="http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=premium_inner_template" method="POST">
      <input type="hidden" name="template" value="80066" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

____

The immediate effect is silent content pollution because the site accumulates templates that nobody intentionally created, which forces administrators to investigate and clean up and also makes it harder to trust the library going forward. Over time this becomes a security and governance problem because unreviewed templates can be used as staging points for social engineering where a later attacker convinces an editor to insert a template that looks legitimate but contains misleading content, tracking links, or phishing style calls to action. On busy sites, mass creation can also become operationally costly because templates may appear published and searchable in the dashboard, causing confusion during routine work and increasing the chance that someone embeds the wrong asset. Even without direct code execution, attackers benefit from the fact that templates often sit closer to business critical landing pages than normal posts, so polluting the template layer can produce outsized downstream impact.

Recommendations for Improved Security

The correct fix is to add CSRF protection to the premium_inner_template action by requiring a nonce and validating it server side with check_ajax_referer, and to ensure the nonce is scoped to the specific action and user session. Capability checks should remain, but they must be paired with nonce validation for any state changing endpoint, because capability checks alone do not protect against cross site requests made from the victim’s browser. It is also prudent to reduce default impact by creating new templates as draft rather than publish, and by logging the actor and source context so administrators can audit unexpected creations. As a short term mitigation, site owners can restrict who has edit_posts on environments where it is not necessary, and they can monitor for bursts of elementor_library creation that do not align with normal editorial activity.

By taking proactive measures to address CSRFvulnerabilities like CVE-2025-14163 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #CSRF #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii I.