CVE-2025-11536

CVSS 5.0 Medium
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
  • Published: 2025-10-20T22:15:36.727
  • Last modified: 1761075085

Summary

🛡️ Vulnerability overview CVE-2025-11536 The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 8.2.5 via the wp_ajax_import_elementor_template action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. 📊 Technical details Severity: MEDIUM CVSS: 5 Vendor: Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N 🧩 Affected…

Technical details

    Severity & risk metrics

    CVSS: 5 (MEDIUM)

    Affected products & vendors

    Vendors not specified.

    Exploit & mitigation

    No vendor patch links provided.

    References & resources

    No references.


    🛡️ Vulnerability overview CVE-2025-11536

    The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 8.2.5 via the wp_ajax_import_elementor_template action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

    📊 Technical details

    • Severity: MEDIUM
    • CVSS: 5
    • Vendor:
    • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

    🧩 Affected products

    • Not specified.
    • Update to the latest available version
    • Monitor logs and network traffic
    • Apply least-privilege and segment the network

    🔗 References

    • No related CVEs.

    Subscribe for CVE alerts

    The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 8.2.5 via the wp_ajax_import_elementor_template action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

    Related CVE by CWE

    No related CWE found.

    Top CVE for Vendor

    No vendor taxonomy on this entry.

    Recently Exploited Similar Vulnerabilities

    No recent KEV-listed items for this vendor/product.

    How to fix CVE-2025-11536

    CVE-2025-11536 is a medium severity vulnerability affecting the affected product.

    Description: Summary 🛡️ Vulnerability overview CVE-2025-11536 The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 8.2.5 via the wp_ajax_import_elementor_template action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the […]

    Affected Versions:
    Vulnerable: ≤ 8.2.5
    Safe: ≥ 8.2.6

    Exploit Difficulty: EASY
    ⏱️ Time to exploit: < 1 hour
    🛠️ Required skills: Basic web security knowledge
    💰 Public exploits: Likely available

    How to Fix:

    1 Identify affected systems

    - Check if you're running the affected product
    - Verify version (vulnerable: ≤ 8.2.5)

    2 Immediate actions

    - Update to ≥ 8.2.6 or later
    - If patching is not immediately possible: restrict network exposure, apply least-privilege access

    3 Verification

    - Test the fix in a staging environment first
    - Review logs for signs of exploitation
    - Monitor for IOCs (Indicators of Compromise)

    4 Long-term prevention

    - Enable automatic security updates
    - Set up vulnerability monitoring
    - Review and harden security configurations

    Vendor Advisory: https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/tags/8.2.4/includes/setup-wizard/init.php#L420https://www.wordfence.com/threat-intel/vulnerabilities/id/97c100c3-8a96-4198-b38a-206268ff20ec?source=cve

    Exploit Difficulty Assessment

    EASY
    ⏱️ Time to Exploit: < 1 hour
    🛠️ Skills Required: Basic web security knowledge
    💰 Public Exploits: Likely available

    Affected Versions

    Vulnerable: ≤ 8.2.5
    Safe: ≥ 8.2.6

    Vulnerability Timeline

    Oct 20, 2025
    Vulnerability Published

    CVE details first published to NVD database

    Jan 01, 1970
    Last Modified

    CVE details were updated

    Oct 28, 2025
    Imported to Database

    Added to this CVE tracking system

    Detection Rules & IOCs

    No specific detection rules generated for this vulnerability type.

    No vendor/product data available.