CVE-2025-1441
Published: 19 February 2025
Summary
CVE-2025-1441 is a medium-severity CSRF (CWE-352) vulnerability in Royal-Elementor-Addons Royal Elementor Addons. Its CVSS base score is 6.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-1441, published on 2025-02-19, is a Cross-Site Request Forgery (CSRF) vulnerability classified under CWE-352, affecting the Royal Elementor Addons and Templates plugin for WordPress in all versions up to and including 1.7.1007. The flaw arises from missing or incorrect nonce validation in the 'wpr_filter_woo_products' function, which fails to properly verify requests.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity by tricking a site administrator into executing a forged request, such as clicking a malicious link. Exploitation enables the injection of malicious web scripts, leading to low impacts on confidentiality and integrity with a changed scope, as reflected in the CVSS v3.1 base score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Advisories indicate mitigation through updating to version 1.7.1008, where source code changes around line 1904 in the 'wpr-filter-woo-products.php' file address the nonce validation deficiency compared to line 1895 in the vulnerable 1.7.1007 tag. Further details are provided in Wordfence threat intelligence.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4753
Vulnerability details
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1007. This is due to missing or incorrect nonce validation on the 'wpr_filter_woo_products' function. This makes it possible…
more
for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF flaw in public-facing WordPress plugin directly enables remote exploitation of web application to inject scripts and alter site behavior.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CSRF by requiring mechanisms like nonces to protect the authenticity of communications sessions against forged requests.
Enforces validation of critical inputs such as nonces in the 'wpr_filter_woo_products' function to block malicious script injection via forged requests.
Requires timely flaw remediation, such as patching to version 1.7.1008, to address the missing nonce validation deficiency.