CVE-2025-15369 MEDIUM

CVE-2025-15369: Xpro Addons — 140+ Widgets for Elementor <= 1.5.0 - Missing Authorization to Unauthenticated Xpro Template Creation

Vendor Xpro

Product Xpro Addons — 140+ Widgets for Elementor

Weakness CWE-862 · Missing authorization

Published May 20, 2026

Last update May 20, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

Description

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the get_content_editor function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to create published Xpro templates.

Key dates

Disclosure timeline

May 20, 2026 CVE published

May 20, 2026 Record updated

Identifiers

CVE CVE-2025-15369

CWE CWE-862

CVSS 5.3 / MEDIUM

Affected versions

Vendor Xpro

Product Xpro Addons — 140+ Widgets for Elementor

Affected ≤ 1.5.0