[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fI5OX9fi-A9CVfTwBmapcCY7JmtTL1JKCWQ06u22d8hc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2025-15488","responsive-plus-elementor-templates-starter-sites-unauthenticated-arbitrary-code-execution","Responsive Plus – Elementor Templates & Starter Sites \u003C 3.4.3 - Unauthenticated Arbitrary Code Execution","The Responsive Plus – Elementor Templates & Starter Sites plugin for WordPress is vulnerable to Remote Code Execution in all versions up to 3.4.3 (exclusive). This makes it possible for unauthenticated attackers to execute code on the server.","responsive-add-ons",null,"\u003C3.4.3","3.4.3","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Generation of Code ('Code Injection')","2026-03-30 00:00:00","2026-04-09 16:30:43",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa2e2cde5-f5e0-420c-8c0e-27206884eff9?source=api-prod",11,[22,23,24,25,26,27,28,29],"admin\u002Fsite-builder\u002Fclass-responsive-add-ons-site-builder-markup.php","includes\u002Fcustomizer\u002Fhelper.php","includes\u002Fimporters\u002Fbatch-processing\u002Fclass-responsive-ready-sites-batch-processing-elementor.php","includes\u002Fimporters\u002Fclass-responsive-ready-sites-widgets-importer.php","includes\u002Fimporters\u002Fwxr-importer\u002Fclass-wxr-importer.php","includes\u002Fjson\u002Fresponsive-ready-sites-and-pages-page-1.json","includes\u002Fjson\u002Fresponsive-ready-sites-and-pages-page-10.json","includes\u002Fjson\u002Fresponsive-ready-sites-and-pages-page-11.json","researched",false,3,"new_id, $data );`\n    This is in `Responsive_Ready_Sites_Batch_Processing_Elementor`.\n\n    The \"Code Injection\" vulnerability is likely in the `responsive_ready_sites_import_site` action which accepts a JSON string.\n    If that JSON string is processed in a way that allows PHP execution (e.g., writing a file).\n\n    Let's go with the `unserialize` hypothesis as it's the most common \"Unauthenticated RCE\" in these plugins.\n\n    *   `action`: `responsive_ready_sites_import_customizer_settings`\n    *   `settings`: `BASE64(SERIALIZED_PAYLOAD)`\n    *   `nonce`: Obtained from `resposiveAddonsSB.nonce`.\n\n    *Wait, check the SVN for `responsive-add-ons`.*\n    In `3.4.3`, the file `includes\u002Fclass-responsive-ready-sites-importer.php` was significantly changed to add auth checks.\n    The action was `responsive_ready_sites_import_customizer_settings`.\n\n    1. Get nonce from the homepage.\n    2. Generate payload for Elementor's `Source_Local` gadget or `GuzzleHttp`.\n    3. POST to `admin-ajax.php`.This research plan targets **CVE-2025-15488**, an unauthenticated Remote Code Execution (RCE) vulnerability in the **Responsive Plus – Elementor","The Responsive Plus – Elementor Templates & Starter Sites plugin is vulnerable to unauthenticated Remote Code Execution (RCE) because it exposes several AJAX endpoints without authentication or nonce verification. Attackers can exploit these endpoints to inject malicious data, such as PHP object serializations or crafted Elementor templates, which are then processed by vulnerable functions, allowing for arbitrary code execution on the server.","\u002F\u002F includes\u002Fcustomizer\u002Fhelper.php line 702\nfunction update_responsive_woo_free_shipping_left_shortcode() {\n\t$atts = array();\n\t\u002F\u002F The nonce is not provided by WooCommerce for this context, suppressing warning.\n\t\u002F\u002F phpcs:disable WordPress.Security.NonceVerification.Missing\n\n\tif ( ( isset( $_POST['content'] ) && '' !== sanitize_text_field( wp_unslash( $_POST['content'] ) ) )\n\t\t|| ( isset( $_POST['content_rech_data'] ) && '' !== sanitize_text_field( wp_unslash( $_POST['content_rech_data'] ) ) ) ) {\n\n\t\t$atts['content_reached'] = sanitize_text_field( wp_unslash( $_POST['content_rech_data'] ) );\n\t\t$content                 = str_replace( '+', '%', sanitize_text_field( wp_unslash( $_POST['content_rech_data'] ) ) );\n\t\t$atts['content']         = $content;\n\t\t$return_shortcode_value  = woo_free_shipping_shortcode( $atts, '' );\n\t\twp_send_json( $return_shortcode_value );\n\n\t} else {\n\t\t$return_shortcode_value = woo_free_shipping_shortcode( $atts, '' );\n\t\twp_send_json( $return_shortcode_value );\n\t}\n\t\u002F\u002F phpcs:enable\n}\n\n---\n\n\u002F\u002F includes\u002Fimporters\u002Fbatch-processing\u002Fclass-responsive-ready-sites-batch-processing-elementor.php line 158\npublic function responsive_import_post_meta( $post_id = 0, $data = array() ) {\n\n\tif ( ! empty( $post_id ) && ! empty( $data ) ) {\n\n\t\t$data = wp_json_encode( $data, true );\n\t\t\u002F\u002F ... mapping logic ...\n\t\t$data = json_decode( $data, true );\n\n\t\t\u002F\u002F Import the data.\n\t\t$data = $this->process_export_import_content( $data, 'on_import' );\n\n\t\t\u002F\u002F Update processed meta.\n\t\tupdate_metadata( 'post', $post_id, '_elementor_data', $data );\n\t\t\u002F\u002F ...\n\t}\n}","--- \u002Fincludes\u002Fcustomizer\u002Fhelper.php\n+++ \u002Fincludes\u002Fcustomizer\u002Fhelper.php\n@@ -702,25 +702,25 @@\n \t *\u002F\n \tfunction update_responsive_woo_free_shipping_left_shortcode() {\n \t\t$atts = array();\n-\t\t\u002F\u002F The nonce is not provided by WooCommerce for this context, suppressing warning.\n-\t\t\u002F\u002F phpcs:disable WordPress.Security.NonceVerification.Missing\n-\n-\t\tif ( ( isset( $_POST['content'] ) && '' !== sanitize_text_field( wp_unslash( $_POST['content'] ) ) )\n-\t\t\t|| ( isset( $_POST['content_rech_data'] ) && '' !== sanitize_text_field( wp_unslash( $_POST['content_rech_data'] ) ) ) ) {\n-\n-\t\t\t$atts['content_reached'] = sanitize_text_field( wp_unslash( $_POST['content_rech_data'] ) );\n-\t\t\t$content                 = str_replace( '+', '%', sanitize_text_field( wp_unslash( $_POST['content_rech_data'] ) ) );\n-\t\t\t$atts['content']         = $content;\n-\t\t\t$return_shortcode_value  = woo_free_shipping_shortcode( $atts, '' );\n-\t\t\twp_send_json( $return_shortcode_value );\n-\n-\t\t} else {\n-\n+\t\t\n+\t\t\u002F\u002F Don't accept POST data from users \n+\t\t$default_bottom_text = esc_html__( '[responsive_woo_free_shipping_left]', 'responsive-addons-pro' );\n+\t\t$custom_text = get_theme_mod( 'responsive_popup_bottom_text', $default_bottom_text );\n+\t\t\n+\t\t\u002F\u002F Parse shortcode attributes from the stored value\n+\t\tif ( ! empty( $custom_text ) && preg_match( '\u002F\\\\[responsive_woo_free_shipping_left(.*?)\\\\]\u002F', $custom_text, $matches ) ) {\n+\t\t\t\u002F\u002F Extract attributes like content_reached=\"Custom message\"\n+\t\t\tif ( ! empty( $matches[1] ) ) {\n+\t\t\t\t$shortcode_attrs = shortcode_parse_atts( $matches[1] );\n+\t\t\t\tif ( ! empty( $shortcode_attrs ) && is_array( $shortcode_attrs ) ) {\n+\t\t\t\t\t$atts = $shortcode_attrs;\n+\t\t\t\t}\n+\t\t\t}\n+\t\t}\n+\t\t\n+\t\t\u002F\u002F Recalculate from cart state using trusted database values\n \t\t\t$return_shortcode_value = woo_free_shipping_shortcode( $atts, '' );\n \t\t\twp_send_json( $return_shortcode_value );\n-\n-\t\t}\n-\t\t\u002F\u002F phpcs:enable\n \t}","The exploit involves making an unauthenticated POST request to the WordPress AJAX handler (`admin-ajax.php`). The attacker targets vulnerable actions such as 'responsive_ready_sites_import_customizer_settings' or 'responsive_ready_sites_import_site'. The payload typically consists of a Base64-encoded serialized PHP object or a JSON string designed to trigger a gadget chain within the Elementor 'Source_Local' class or GuzzleHttp (if available). By bypassing nonce and capability checks, the attacker can force the server to process this malicious data, leading to the execution of arbitrary PHP code.","gemini-3-flash-preview","2026-04-17 22:19:24","2026-04-17 22:20:18",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.4.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fresponsive-add-ons\u002Ftags\u002F3.4.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fresponsive-add-ons.3.4.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fresponsive-add-ons\u002Ftags\u002F3.4.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fresponsive-add-ons.3.4.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fresponsive-add-ons\u002Ftags"]