Premium Addons for Elementor <= 4.11.63 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Description
The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.11.63. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=4.11.63Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2025-69300 ## 1. Vulnerability Summary The **Premium Addons for Elementor** plugin (<= 4.11.63) contains a missing authorization vulnerability in its settings update mechanism. While the plugin implements nonce verification for CSRF protection, it fails to perform…
Show full research plan
Exploitation Research Plan - CVE-2025-69300
1. Vulnerability Summary
The Premium Addons for Elementor plugin (<= 4.11.63) contains a missing authorization vulnerability in its settings update mechanism. While the plugin implements nonce verification for CSRF protection, it fails to perform a capability check (e.g., current_user_can('manage_options')) on the function responsible for saving plugin settings. This allows any authenticated user, including those with Subscriber-level permissions, to modify plugin configuration settings.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - AJAX Action:
pa_save_admin_settings(inferred from plugin naming conventions and similar vulnerabilities in this plugin). - Vulnerable Function: Likely
Premium_Addons_Settings::save_settingsor a similar method within the admin settings class. - HTTP Method: POST
- Parameters:
action:pa_save_admin_settings(inferred)security: The nonce value.settings: An array or JSON string containing the settings to be updated.
- Authentication: Authenticated (Subscriber or higher).
3. Code Flow
- Registration: The plugin registers an AJAX action for authenticated users:
add_action( 'wp_ajax_pa_save_admin_settings', array( $this, 'save_settings' ) ); - Entry: A Subscriber user sends a POST request to
admin-ajax.phpwith the actionpa_save_admin_settings. - Bypass: The
save_settingsfunction callscheck_ajax_referer( 'pa-settings-nonce', 'security' )(inferred action string). - Missing Check: The function proceeds to update the plugin options using
update_option()without verifying if thecurrent_user_can( 'manage_options' ). - Sink: The
update_option()function persists the attacker-supplied settings to the database.
4. Nonce Acquisition Strategy
The nonce is required for this exploit as check_ajax_referer is likely present. The nonce is typically localized to the WordPress admin dashboard for the plugin's settings page.
- Identify Shortcode/Page: The settings page is located at
/wp-admin/admin.php?page=pa-settings. However, a Subscriber cannot access this page directly. - Search for Global Nonce: Check if the nonce is enqueued on all admin pages for authenticated users.
- Procedure:
- Log in as a Subscriber.
- Navigate to the WordPress Dashboard (
/wp-admin/index.php). - Use
browser_evalto search for the nonce in the globalPremiumAddonsSettingsorpa_settingsobject (inferred). - JS Command:
browser_eval("window.pa_settings_vars?.nonce || window.PremiumAddonsSettings?.nonce")(inferred).
Note: If the nonce is strictly limited to the settings page (which the Subscriber cannot access), look for other AJAX actions that expose the same nonce or check if the nonce is localized on the frontend for Elementor editors.
5. Exploitation Strategy
- Setup Credentials: Use a Subscriber account.
- Obtain Nonce: Extract the
pa-settings-nonceusing the strategy in Section 4. - Craft Payload: Identify a setting to change. For example, disabling a specific widget or changing a global configuration.
- Setting Name (inferred):
pa_st_settings(Premium Addons Settings).
- Setting Name (inferred):
- Execute Request:
// Example using http_request tool await http_request({ url: "http://localhost:8080/wp-admin/admin-ajax.php", method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" }, body: "action=pa_save_admin_settings&security=" + nonce + "&settings[some_feature_flag]=0" });
6. Test Data Setup
- Install Premium Addons for Elementor version 4.11.63.
- Create a user with the Subscriber role.
- As an Admin, note the current state of a specific plugin setting (e.g., whether the "Pricing Table" widget is enabled).
wp option get pa_st_settings
7. Expected Results
- The server should return a successful response (likely
wp_send_json_successor a string1). - The plugin settings in the database should reflect the values sent in the Subscriber's POST request.
8. Verification Steps
- Check Database via WP-CLI:
wp option get pa_st_settings
Verify that the values have changed from the initial state to the values provided in the exploit payload. - UI Verification: Log in as Admin and navigate to the Premium Addons settings page to see if the toggles have moved.
9. Alternative Approaches
- Endpoint Guessing: If
pa_save_admin_settingsis incorrect, grep the plugin source forwp_ajax_to find the exact action string:grep -r "wp_ajax_" /var/www/html/wp-content/plugins/premium-addons-for-elementor/ - Setting Discovery: If the settings are stored in individual options rather than an array, grep for
update_optioninside the identified AJAX handler. - Cross-Site Scripting (XSS): Check if any of the settings updated via this vulnerability are rendered unescaped in the admin dashboard or frontend. If so, this "Missing Authorization" can be escalated to a Stored XSS.
Summary
The Premium Addons for Elementor plugin fails to perform an authorization check (e.g., current_user_can('manage_options')) in its AJAX handler for saving plugin settings. This allows any authenticated user, such as a Subscriber, to modify the plugin's configuration by providing a valid nonce.
Vulnerable Code
// Inferred from plugin settings handling logic // premium-addons-for-elementor/admin/includes/admin-helper.php (approximate) add_action( 'wp_ajax_pa_save_admin_settings', array( $this, 'save_settings' ) ); public function save_settings() { // Nonce verification is present, but missing capability check check_ajax_referer( 'pa-settings-nonce', 'security' ); if ( isset( $_POST['settings'] ) ) { $settings = $_POST['settings']; update_option( 'pa_st_settings', $settings ); wp_send_json_success(); } }
Security Fix
@@ -10,6 +10,10 @@ public function save_settings() { check_ajax_referer( 'pa-settings-nonce', 'security' ); + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( array( 'message' => 'Unauthorized' ) ); + } + if ( isset( $_POST['settings'] ) ) { $settings = $_POST['settings']; update_option( 'pa_st_settings', $settings );
Exploit Outline
The exploit targets the AJAX action `pa_save_admin_settings`. An attacker must first authenticate as a Subscriber and obtain a valid security nonce (typically found in localized JavaScript variables such as `PremiumAddonsSettings.nonce` or `pa_settings_vars.nonce`). The attacker then sends a POST request to `/wp-admin/admin-ajax.php` with the action set to `pa_save_admin_settings`, the retrieved nonce in the `security` parameter, and the desired plugin configuration changes in the `settings` parameter. Because the plugin does not verify if the user has the 'manage_options' capability, the `update_option` call will execute and overwrite the plugin's global settings in the database.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.