{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8481", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-01T17:41:03.395Z", "datePublished": "2025-09-11T07:24:57.926Z", "dateUpdated": "2026-04-08T17:17:53.178Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:53.178Z"}, "affected": [{"vendor": "mdimran41", "product": "Blog Designer For Elementor \u2013 Post Slider, Post Carousel, Post Grid", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Blog Designer For Elementor \u2013 Post Slider, Post Carousel, Post Grid plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.1.7. This is due to missing or incorrect nonce validation on the bdfe_install_activate_rswpbs_only function. This makes it possible for unauthenticated attackers to install the 'rs-wp-books-showcase' plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Blog Designer For Elementor \u2013 Post Slider, Post Carousel, Post Grid <= 1.1.7 - Cross-Site Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8f31f8e-03a0-436c-bfa3-bc41d70e8e2a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/blog-designer-for-elementor/tags/1.1.7/inc/import-books-from-amazon-notice/import-books-from-amazon-notice.php#L109"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "timeline": [{"time": "2025-09-10T18:55:20.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-11T13:44:47.733139Z", "id": "CVE-2025-8481", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T14:38:26.145Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8481", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-11T13:44:47.733139Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T13:44:49.258Z"}}], "cna": {"title": "Blog Designer For Elementor \u2013 Post Slider, Post Carousel, Post Grid <= 1.1.7 - Cross-Site Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "mdimran41", "product": "Blog Designer For Elementor \u2013 Post Slider, Post Carousel, Post Grid", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-10T18:55:20.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8f31f8e-03a0-436c-bfa3-bc41d70e8e2a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/blog-designer-for-elementor/tags/1.1.7/inc/import-books-from-amazon-notice/import-books-from-amazon-notice.php#L109"}], "descriptions": [{"lang": "en", "value": "The Blog Designer For Elementor \u2013 Post Slider, Post Carousel, Post Grid plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.1.7. This is due to missing or incorrect nonce validation on the bdfe_install_activate_rswpbs_only function. This makes it possible for unauthenticated attackers to install the 'rs-wp-books-showcase' plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:53.178Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8481", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:17:53.178Z", "dateReserved": "2025-08-01T17:41:03.395Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-11T07:24:57.926Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Blog Designer For Elementor \u2013 Post Slider, Post Carousel, Post Grid plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.1.7. This is due to missing or incorrect nonce validation on the bdfe_install_activate_rswpbs_only function. This makes it possible for unauthenticated attackers to install the 'rs-wp-books-showcase' plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-8481", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-11T08:15:34.637", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog-designer-for-elementor/tags/1.1.7/inc/import-books-from-amazon-notice/import-books-from-amazon-notice.php#L109"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8f31f8e-03a0-436c-bfa3-bc41d70e8e2a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:52:20.451538+00:00", "value": {"mitigation_remediation": ["Upgrade the Blog Designer For Elementor \u2013 Post Slider, Post Carousel, Post Grid plugin to the latest version that includes nonce validation.", "If the rs-wp-books-showcase plugin has already been installed via this flaw, uninstall it from the site.", "Enable a WordPress security measure that enforces nonce validation on all admin actions, such as a dedicated security plugin that blocks CSRF attacks and restricts plugin installations to authenticated users only."], "summary": {"action": "Update Plugin", "impact": "Unauthenticated plugin installation via CSRF"}, "threat_synthesis": {"affected_systems": "WordPress sites using the mdimran41 Blog Designer For Elementor \u2013 Post Slider, Post Carousel, Post Grid plugin 1.1.7 or earlier are affected. Site administrators must review the installed plugins and ensure that this plugin version is not in use; if it is, they should update or remove it.", "description_and_impact": "The vulnerability resides in the Blog Designer For Elementor \u2013 Post Slider, Post Carousel, Post Grid plugin for WordPress. An unauthenticated attacker can cause the vulnerable BDFE endpoint to install the third\u2011party 'rs-wp-books-showcase' plugin by sending a forged request that bypasses nonce validation. The result is that the plugin is added to the site without the administrator\u2019s knowledge, potentially exposing the site to malicious code from the newly installed plugin.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is a crafted link presented to a site administrator that, when clicked, submits a CSRF request to the vulnerable endpoint; no authentication is required for the attacker, but social engineering is necessary to get an admin to trigger it."}}}}, "created": "2025-09-12T09:11:21.078115+00:00", "updated": "2026-04-20T22:00:11.192820+00:00", "vendors": ["elementor", "elementor$PRODUCT$elementor", "mdimran41", "mdimran41$PRODUCT$blog_designer_for_elementor_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}