{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1639", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-24T17:04:42.711Z", "datePublished": "2025-03-04T03:38:00.282Z", "dateUpdated": "2026-04-08T17:34:31.121Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:31.121Z"}, "affected": [{"vendor": "crowdyTheme", "product": "Animation Addons for Elementor Pro", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Animation Addons for Elementor Pro plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_elementor_plugin_handler() function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins which can be leveraged to further infect a victim when Elementor is not activated on a vulnerable site."}], "title": "Animation Addons for Elementor Pro <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fb310bdb-fc74-47b2-9371-3d10abd287fb?source=cve"}, {"url": "https://themeforest.net/item/arolax-creative-digital-agency-theme/53547630"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tonn"}], "timeline": [{"time": "2025-03-03T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-04T15:33:50.270291Z", "id": "CVE-2025-1639", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-04T15:34:00.258Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1639", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-04T15:33:50.270291Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-04T15:33:56.131Z"}}], "cna": {"title": "Animation Addons for Elementor Pro <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation", "credits": [{"lang": "en", "type": "finder", "value": "Tonn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "crowdyTheme", "product": "Animation Addons for Elementor Pro", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-03T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fb310bdb-fc74-47b2-9371-3d10abd287fb?source=cve"}, {"url": "https://themeforest.net/item/arolax-creative-digital-agency-theme/53547630"}], "descriptions": [{"lang": "en", "value": "The Animation Addons for Elementor Pro plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_elementor_plugin_handler() function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins which can be leveraged to further infect a victim when Elementor is not activated on a vulnerable site."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:31.121Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1639", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:34:31.121Z", "dateReserved": "2025-02-24T17:04:42.711Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-04T03:38:00.282Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:crowdytheme:arolax:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "8D74F35E-060C-4BC1-AB28-040E0D5F4E86", "versionEndExcluding": "1.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Animation Addons for Elementor Pro plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_elementor_plugin_handler() function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins which can be leveraged to further infect a victim when Elementor is not activated on a vulnerable site."}, {"lang": "es", "value": "El complemento Animation Addons for Elementor Pro para WordPress es vulnerable a la instalaci\u00f3n de complementos arbitrarios no autorizados debido a una verificaci\u00f3n de capacidad faltante en la funci\u00f3n install_elementor_plugin_handler() en todas las versiones hasta la 1.6 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, instalen y activen complementos arbitrarios que pueden aprovecharse para infectar a\u00fan m\u00e1s a una v\u00edctima cuando Elementor no est\u00e1 activado en un sitio vulnerable."}], "id": "CVE-2025-1639", "lastModified": "2025-03-05T16:39:15.917", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-04T04:15:11.697", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://themeforest.net/item/arolax-creative-digital-agency-theme/53547630"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fb310bdb-fc74-47b2-9371-3d10abd287fb?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:42:41.920191+00:00", "value": {"mitigation_remediation": ["Upgrade Animation Addons for Elementor Pro to version 1.7 or later, if available. ", "Restrict the Subscriber+ role from plugin installation and activation capabilities, or remove this role from users who do not require such permissions. ", "Audit all installed plugins for unexpected or malicious code and remove any that appear to have been introduced via the vulnerability."], "summary": {"action": "Patch Now", "impact": "Unauthorized arbitrary plugin installation and activation with Subscriber-level access"}, "threat_synthesis": {"affected_systems": "The affected product is the Animation Addons for Elementor Pro plugin published by crowdyTheme. Versions 1.6 and all earlier releases are impacted; no later versions are listed as vulnerable in the provided data.", "description_and_impact": "The Animation Addons for Elementor Pro plugin fails to perform a capability check in its install_elementor_plugin_handler() function, allowing an attacker who has at least Subscriber privileges to install and activate any WordPress plugin. This flaw permits the immediate deployment of malicious code without further interaction, and since the vulnerability exists in all releases up to and including 1.6, it applies broadly to sites running those versions. The associated weakness is identified as CWE-862, indicating missing authentication or authorization checks.", "risk_and_exploitability": "The CVSS score of 8.8 reflects a high severity for this flaw, and the EPSS score of 11% suggests a measurable likelihood of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is inferred to be authenticated, with the attacker needing only to be logged in as a Subscriber or higher. Once authenticated, the attacker can invoke the vulnerable handler to upload any plugin package, leading to arbitrary code execution once the plugin is activated. No additional exploitation prerequisites are noted."}}}}, "created": "2026-04-20T23:45:21.608330+00:00", "updated": "2026-04-20T23:45:21.608339+00:00", "vendors": []}