WordPress Plugin Vulnerabilities

Elementor Addon Elements < 1.11.8 - CSRF Bypass

Description

The plugin does not properly check for CSRF in some of its functions, allowing them to be bypassed when making a requests without the expected nonce parameter (v < 1.1.7) or with a dummy nonce value (v < 1.11.8). As a result, attackers could make users perform unwanted actions.

Affects Plugins

Plugin icon
addon-elements-for-elementor-page-builder
Fixed in 1.11.8

References

URL
https://plugins.trac.wordpress.org/changeset/2567099/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
3.5 (low)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
d2280397-2029-41f3-b5eb-be94044c42a5

Timeline

Publicly Published
2021-07-20 (about 4 years ago)
Added
2021-07-20 (about 4 years ago)
Last Updated
2021-07-20 (about 4 years ago)

Other

Published
Title
Published
2023-06-03
Title
WP Hide Post <= 2.0.10 - Arbitrary Post Hiding via CSRF
Published
2026-04-08
Title
Advanced CF7 DB < 2.1.0 - Cross-Site Request Forgery to Form Entry Deletion
Published
2014-08-01
Title
Centrora Security 3.2.1 - Multiple Admin Actions CSRF
Published
2025-12-31
Title
Simple Archive Generator <= 5.2 - Cross-Site Request Forgery
Published
2025-06-05
Title
Bitly URL Shortener < 1.5.0 - Cross-Site Request Forgery