CVE-2025-11536: 
WordPress vulnerability analysis and mitigation

The Element Pack Addons for Elementor plugin for WordPress (CVE-2025-11536) contains a Blind Server-Side Request Forgery vulnerability affecting all versions up to and including 8.2.5. The vulnerability was discovered and disclosed on October 20, 2025 (NVD).

The vulnerability exists in the wp_ajax_import_elementor_template action of the Element Pack Addons plugin. It allows authenticated attackers with Subscriber-level access or higher to make web requests to arbitrary locations originating from the web application. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.0 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N. The vulnerability is classified as CWE-918 (Server-Side Request Forgery) (NVD).

When exploited, this vulnerability can be used to query and modify information from internal services. The attacker can leverage the web application's trust relationship to access or modify internal resources that would otherwise be inaccessible (NVD).

Users should update their Element Pack Addons for Elementor plugin to a version newer than 8.2.5 when available. Until a patch is released, administrators should consider restricting access to the affected functionality or implementing additional access controls (NVD).