CVE-2025-54033
Lifecycle Timeline
2Description
Cross-Site Request Forgery (CSRF) vulnerability in BlocksWP Theme Builder For Elementor theme-builder-for-elementor allows Cross Site Request Forgery.This issue affects Theme Builder For Elementor: from n/a through <= 1.2.3.
Analysis
Cross-site request forgery (CSRF) in BlocksWP Theme Builder For Elementor plugin versions through 1.2.3 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability lacks a published CVSS score and shows minimal exploitation probability (0.02% EPSS), with no public exploit code or active exploitation reported, suggesting limited real-world risk despite the security-conscious WordPress ecosystem.
Technical Context
This vulnerability exploits insufficient CSRF token validation in the Theme Builder For Elementor WordPress plugin. The affected product is a WordPress theme builder extension that integrates with Elementor page builder (CPE context: WordPress plugin, theme-builder-for-elementor). CWE-352 (Cross-Site Request Forgery) indicates the plugin fails to implement or properly validate anti-CSRF tokens (nonces in WordPress terminology) on state-changing requests. An attacker can craft malicious web pages or emails that trick authenticated WordPress administrators or users into performing unintended actions, such as modifying theme settings or publishing malicious content, without explicit user consent.
Affected Products
BlocksWP Theme Builder For Elementor (theme-builder-for-elementor WordPress plugin) versions through 1.2.3 are affected. This is a WordPress plugin package that extends Elementor page builder functionality. The vulnerability encompasses all versions from initial release through version 1.2.3 inclusive. Vendor advisory and vulnerability details are available via Patchstack's WordPress plugin vulnerability database at https://patchstack.com/database/Wordpress/Plugin/theme-builder-for-elementor/vulnerability/wordpress-theme-builder-for-elementor-plugin-1-2-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve.
Remediation
Update the Theme Builder For Elementor plugin to a version above 1.2.3 (exact fixed version not specified in available data; consult the plugin repository or vendor advisory for the first patched release). Users should navigate to their WordPress admin dashboard, access Plugins, and update the theme-builder-for-elementor plugin to the latest available version. As a temporary workaround pending updates, administrators should avoid visiting untrusted websites while logged into WordPress admin accounts and educate users about CSRF risks. Full remediation details and patch confirmation are available on the Patchstack vulnerability database and the official plugin support channels.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today