CVE-2025-1639: 
WordPress vulnerability analysis and mitigation

The Animation Addons for Elementor Pro plugin for WordPress (CVE-2025-1639) contains a vulnerability related to unauthorized arbitrary plugin installation. The vulnerability was discovered on March 3, 2025, affecting all versions up to and including 1.6. The issue stems from a missing capability check in the installelementorplugin_handler() function (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is classified under CWE-862 (Missing Authorization). The vulnerability exists due to improper implementation of authorization controls in the plugin's functionality (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to install and activate arbitrary plugins on WordPress sites where Elementor is not activated. This capability can be leveraged to further compromise the affected website and potentially execute malicious code (NVD).

Website administrators should upgrade to version 1.7 or later of the Animation Addons for Elementor Pro plugin to address this vulnerability. The fix has been implemented in the latest version to include proper capability checks (Themeforest).