Element Pack Addons for Elementor < 8.2.6 – Authenticated (Subscriber+) Blind Server-Side Request Forgery | CVE 2025-11536 | Plugin Vulnerabilities

Description

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 8.2.5 via the wp_ajax_import_elementor_template action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Affects Plugins

bdthemes-element-pack-lite

Fixed in 8.2.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/97c100c3-8a96-4198-b38a-206268ff20ec

Classification

Type

SSRF

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

LionTree

Verified

No

WPVDB ID

0477718e-fe34-4ff2-9fc7-039eabc1b9b2

Timeline

Publicly Published

2025-10-20 (about 5 months ago)

Added

2025-10-20 (about 5 months ago)

Last Updated

2025-10-20 (about 5 months ago)

Other

Published

Title

Published

2026-01-02

Title

PhotoMe < 5.7.2 - Unauthenticated Server-Side Request Forgery

Published

2024-03-13

Title

Automatic < 3.92.1 - Unauthenticated Arbitrary File Download and Server-Side Request Forgery

Published

2026-01-21

Title

WPO365 < 40.1 - Authenticated (Subscriber+) Server-Side Request Forgery

Published

2023-03-08

Title

GiveWP < 2.25.2 - Admin+ Server-Side Request Forgery

Published

2025-04-24

Title

Simple Google Photos Grid < 1.6 - Authenticated (Contributor+) Server-Side Request Forgery