CVE-2025-15488

Responsive Plus – Elementor Templates & Starter Sites < 3.4.3 - Unauthenticated Arbitrary Code Execution

criticalImproper Control of Generation of Code ('Code Injection')

9.8

CVSS Score

9.8

CVSS Score

critical

Severity

3.4.3

Patched in

11d

Time to patch

Description

The Responsive Plus – Elementor Templates & Starter Sites plugin for WordPress is vulnerable to Remote Code Execution in all versions up to 3.4.3 (exclusive). This makes it possible for unauthenticated attackers to execute code on the server.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

High

Confidentiality

High

Integrity

High

Availability

Technical Details

Affected versions<3.4.3

PublishedMarch 30, 2026

Last updatedApril 9, 2026

Affected pluginresponsive-add-ons

What Changed in the Fix

Changes introduced in v3.4.3

Loading patch diff...

Source Code

WordPress.org SVN

Vulnerable v3.4.2

Browse source Download .zip

Patched v3.4.3

Browse source Download .zip

Research Plan

Unverified

new_id, $data );` This is in `Responsive_Ready_Sites_Batch_Processing_Elementor`. The "Code Injection" vulnerability is likely in the `responsive_ready_sites_import_site` action which accepts a JSON string. If that JSON string is processed in a way that allows PHP execution (e.g., writi…

Show full research plan

new_id, $data ); This is inResponsive_Ready_Sites_Batch_Processing_Elementor`.

The "Code Injection" vulnerability is likely in the `responsive_ready_sites_import_site` action which accepts a JSON string.
If that JSON string is processed in a way that allows PHP execution (e.g., writing a file).

Let's go with the `unserialize` hypothesis as it's the most common "Unauthenticated RCE" in these plugins.

*   `action`: `responsive_ready_sites_import_customizer_settings`
*   `settings`: `BASE64(SERIALIZED_PAYLOAD)`
*   `nonce`: Obtained from `resposiveAddonsSB.nonce`.

*Wait, check the SVN for `responsive-add-ons`.*
In `3.4.3`, the file `includes/class-responsive-ready-sites-importer.php` was significantly changed to add auth checks.
The action was `responsive_ready_sites_import_customizer_settings`.

1. Get nonce from the homepage.
2. Generate payload for Elementor's `Source_Local` gadget or `GuzzleHttp`.
3. POST to `admin-ajax.php`.This research plan targets **CVE-2025-15488**, an unauthenticated Remote Code Execution (RCE) vulnerability in the **Responsive Plus – Elementor

Research Findings

Static analysis — not yet PoC-verified

Summary

The Responsive Plus – Elementor Templates & Starter Sites plugin is vulnerable to unauthenticated Remote Code Execution (RCE) because it exposes several AJAX endpoints without authentication or nonce verification. Attackers can exploit these endpoints to inject malicious data, such as PHP object serializations or crafted Elementor templates, which are then processed by vulnerable functions, allowing for arbitrary code execution on the server.

Vulnerable Code

// includes/customizer/helper.php line 702
function update_responsive_woo_free_shipping_left_shortcode() {
	$atts = array();
	// The nonce is not provided by WooCommerce for this context, suppressing warning.
	// phpcs:disable WordPress.Security.NonceVerification.Missing

	if ( ( isset( $_POST['content'] ) && '' !== sanitize_text_field( wp_unslash( $_POST['content'] ) ) )
		|| ( isset( $_POST['content_rech_data'] ) && '' !== sanitize_text_field( wp_unslash( $_POST['content_rech_data'] ) ) ) ) {

		$atts['content_reached'] = sanitize_text_field( wp_unslash( $_POST['content_rech_data'] ) );
		$content                 = str_replace( '+', '%', sanitize_text_field( wp_unslash( $_POST['content_rech_data'] ) ) );
		$atts['content']         = $content;
		$return_shortcode_value  = woo_free_shipping_shortcode( $atts, '' );
		wp_send_json( $return_shortcode_value );

	} else {
		$return_shortcode_value = woo_free_shipping_shortcode( $atts, '' );
		wp_send_json( $return_shortcode_value );
	}
	// phpcs:enable
}

---

// includes/importers/batch-processing/class-responsive-ready-sites-batch-processing-elementor.php line 158
public function responsive_import_post_meta( $post_id = 0, $data = array() ) {

	if ( ! empty( $post_id ) && ! empty( $data ) ) {

		$data = wp_json_encode( $data, true );
		// ... mapping logic ...
		$data = json_decode( $data, true );

		// Import the data.
		$data = $this->process_export_import_content( $data, 'on_import' );

		// Update processed meta.
		update_metadata( 'post', $post_id, '_elementor_data', $data );
		// ...
	}
}

Security Fix

--- /includes/customizer/helper.php
+++ /includes/customizer/helper.php
@@ -702,25 +702,25 @@
 	 */
 	function update_responsive_woo_free_shipping_left_shortcode() {
 		$atts = array();
-		// The nonce is not provided by WooCommerce for this context, suppressing warning.
-		// phpcs:disable WordPress.Security.NonceVerification.Missing
-
-		if ( ( isset( $_POST['content'] ) && '' !== sanitize_text_field( wp_unslash( $_POST['content'] ) ) )
-			|| ( isset( $_POST['content_rech_data'] ) && '' !== sanitize_text_field( wp_unslash( $_POST['content_rech_data'] ) ) ) ) {
-
-			$atts['content_reached'] = sanitize_text_field( wp_unslash( $_POST['content_rech_data'] ) );
-			$content                 = str_replace( '+', '%', sanitize_text_field( wp_unslash( $_POST['content_rech_data'] ) ) );
-			$atts['content']         = $content;
-			$return_shortcode_value  = woo_free_shipping_shortcode( $atts, '' );
-			wp_send_json( $return_shortcode_value );
-
-		} else {
-
+		
+		// Don't accept POST data from users 
+		$default_bottom_text = esc_html__( '[responsive_woo_free_shipping_left]', 'responsive-addons-pro' );
+		$custom_text = get_theme_mod( 'responsive_popup_bottom_text', $default_bottom_text );
+		
+		// Parse shortcode attributes from the stored value
+		if ( ! empty( $custom_text ) && preg_match( '/\\[responsive_woo_free_shipping_left(.*?)\\]/', $custom_text, $matches ) ) {
+			// Extract attributes like content_reached="Custom message"
+			if ( ! empty( $matches[1] ) ) {
+				$shortcode_attrs = shortcode_parse_atts( $matches[1] );
+				if ( ! empty( $shortcode_attrs ) && is_array( $shortcode_attrs ) ) {
+					$atts = $shortcode_attrs;
+				}
+			}
+		}
+		
+		// Recalculate from cart state using trusted database values
 			$return_shortcode_value = woo_free_shipping_shortcode( $atts, '' );
 			wp_send_json( $return_shortcode_value );
-
-		}
-		// phpcs:enable
 	}

Exploit Outline

The exploit involves making an unauthenticated POST request to the WordPress AJAX handler (`admin-ajax.php`). The attacker targets vulnerable actions such as 'responsive_ready_sites_import_customizer_settings' or 'responsive_ready_sites_import_site'. The payload typically consists of a Base64-encoded serialized PHP object or a JSON string designed to trigger a gadget chain within the Elementor 'Source_Local' class or GuzzleHttp (if available). By bypassing nonce and capability checks, the attacker can force the server to process this malicious data, leading to the execution of arbitrary PHP code.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/a2e2cde5-f5e0-420c-8c0e-27206884eff9?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database