CVE-2025-15369 Overview
CVE-2025-15369 affects the Xpro Addons — 140+ Widgets for Elementor plugin for WordPress. The plugin is vulnerable to unauthorized modification of data through a missing capability check on the get_content_editor function. All versions up to and including 1.5.0 are affected. Unauthenticated attackers can exploit this flaw to create published Xpro templates without holding any account on the target site. The issue is classified as a Missing Authorization weakness [CWE-862] and is exploitable remotely over the network without user interaction.
Critical Impact
Unauthenticated attackers can create published Xpro templates on affected WordPress sites, leading to unauthorized content modification and potential abuse of the site's published asset surface.
Affected Products
- Xpro Addons — 140+ Widgets for Elementor plugin for WordPress
- All versions up to and including 1.5.0
- WordPress sites using the vulnerable plugin in any configuration
Discovery Timeline
- 2026-05-20 - CVE-2025-15369 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2025-15369
Vulnerability Analysis
The vulnerability resides in the get_content_editor function exposed by the Xpro Addons plugin. The function lacks a WordPress capability check, meaning it does not verify whether the requesting user holds the appropriate role or permission before executing privileged actions. As a result, the endpoint processes requests from any source, including unauthenticated visitors. Attackers can invoke the function to create and publish Xpro templates on the target WordPress site. The flaw maps to CWE-862: Missing Authorization and corresponds to an EPSS probability of 0.038% at the time of publication.
Root Cause
The root cause is the absence of a current_user_can() capability check and a missing nonce verification on the get_content_editor handler. WordPress plugins are expected to gate privileged actions behind both capability checks and nonce validation. The Xpro Addons plugin registered the handler without either control, exposing the action to any HTTP client that can reach the WordPress admin-ajax or REST endpoint.
Attack Vector
An attacker reaches the vulnerable endpoint over the network by sending a crafted HTTP request to the WordPress site. No authentication, privileges, or user interaction are required. A successful request causes the plugin to create a published Xpro template under the attacker's chosen parameters. Repeated invocations can populate the site with attacker-controlled templates that may then surface in the site's editor or front-end content workflows.
No verified public proof-of-concept code is available. Technical detail on the affected handler can be reviewed in the WordPress Plugin Source Code and the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-15369
Indicators of Compromise
- Unexpected Xpro templates appearing in the WordPress template library with a published status
- HTTP POST requests to admin-ajax.php referencing the get_content_editor action from unauthenticated sessions
- New post_type entries associated with Xpro templates that have no corresponding administrator activity in WordPress audit logs
Detection Strategies
- Inspect web server access logs for requests targeting admin-ajax.php or REST routes that reference get_content_editor and originate from clients without authenticated session cookies
- Correlate WordPress database changes in template-related tables with administrator login activity to identify template creation without an authenticated source
- Monitor for spikes in template creation events on sites running Xpro Addons version 1.5.0 or earlier
Monitoring Recommendations
- Enable WordPress audit logging to record template creation, modification, and publication events with originating IP and session context
- Forward web server and WordPress logs to a centralized SIEM or data lake for retention and query against the indicators above
- Alert on any plugin endpoint invocation from unauthenticated clients that results in new published content
How to Mitigate CVE-2025-15369
Immediate Actions Required
- Identify all WordPress instances running the Xpro Addons — 140+ Widgets for Elementor plugin at version 1.5.0 or earlier
- Update the plugin to a version that includes a fix for the get_content_editor capability check once released by the vendor
- Review the WordPress template library for unauthorized Xpro templates and remove any that cannot be attributed to a legitimate administrator
- Rotate administrator credentials if unauthorized template creation indicates broader site abuse
Patch Information
At the time of NVD publication on 2026-05-20, the available references are the WordPress Plugin Source Code and the Wordfence Vulnerability Report. Administrators should consult the plugin's WordPress.org listing for the latest patched release and changelog confirming the fix to get_content_editor.
Workarounds
- Deactivate the Xpro Addons plugin until a patched version is installed if templates created by the plugin are not in active use
- Restrict access to wp-admin/admin-ajax.php from untrusted networks using a web application firewall rule that blocks unauthenticated requests referencing the get_content_editor action
- Enforce least-privilege roles for site editors and remove unused administrator accounts to limit downstream abuse of unauthorized templates
# Example WAF rule (ModSecurity-style) to block unauthenticated requests to the vulnerable action
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
"chain,deny,status:403,id:1015369,msg:'Block unauth Xpro get_content_editor (CVE-2025-15369)'"
SecRule ARGS:action "@streq get_content_editor" "chain"
SecRule &REQUEST_COOKIES:/wordpress_logged_in_/ "@eq 0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
