CVE-2025-15369 xpro CVE debrief

Who should care

WordPress site administrators using Xpro Addons for Elementor, security teams monitoring plugin vulnerabilities, and web developers responsible for Elementor-based sites

Technical summary

The `get_content_editor` function in Xpro Addons for Elementor fails to verify user capabilities before allowing template creation operations. This missing authorization check permits any unauthenticated visitor to submit requests that create and publish Xpro templates. The vulnerability affects all versions up to and including 1.5.0. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N indicates network attack vector, low complexity, no privileges required, no user interaction, and low integrity impact with no confidentiality or availability impact.

Defensive priority

medium

Recommended defensive actions

• Update Xpro Addons for Elementor to a version newer than 1.5.0 if available
• Review existing Xpro templates for unauthorized content
• Implement Web Application Firewall rules to restrict access to template creation endpoints
• Audit user roles and capabilities for template management functions
• Monitor for unexpected template publications in WordPress admin logs

Evidence notes

Vulnerability identified by Wordfence. Source references include WordPress plugin repository browser and Wordfence threat intelligence database.

Official resources