Skip to main content

BlocksWP Theme Builder For Elementor CVE-2025-54033

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-07-16 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:42 NVD
6.5 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in BlocksWP Theme Builder For Elementor theme-builder-for-elementor allows Cross Site Request Forgery.This issue affects Theme Builder For Elementor: from n/a through <= 1.2.3.

AnalysisAI

Cross-site request forgery (CSRF) in BlocksWP Theme Builder For Elementor plugin versions through 1.2.3 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability lacks a published CVSS score and shows minimal exploitation probability (0.02% EPSS), with no public exploit code or active exploitation reported, suggesting limited real-world risk despite the security-conscious WordPress ecosystem.

Technical ContextAI

This vulnerability exploits insufficient CSRF token validation in the Theme Builder For Elementor WordPress plugin. The affected product is a WordPress theme builder extension that integrates with Elementor page builder (CPE context: WordPress plugin, theme-builder-for-elementor). CWE-352 (Cross-Site Request Forgery) indicates the plugin fails to implement or properly validate anti-CSRF tokens (nonces in WordPress terminology) on state-changing requests. An attacker can craft malicious web pages or emails that trick authenticated WordPress administrators or users into performing unintended actions, such as modifying theme settings or publishing malicious content, without explicit user consent.

Affected ProductsAI

BlocksWP Theme Builder For Elementor (theme-builder-for-elementor WordPress plugin) versions through 1.2.3 are affected. This is a WordPress plugin package that extends Elementor page builder functionality. The vulnerability encompasses all versions from initial release through version 1.2.3 inclusive. Vendor advisory and vulnerability details are available via Patchstack's WordPress plugin vulnerability database at https://patchstack.com/database/Wordpress/Plugin/theme-builder-for-elementor/vulnerability/wordpress-theme-builder-for-elementor-plugin-1-2-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve.

RemediationAI

Update the Theme Builder For Elementor plugin to a version above 1.2.3 (exact fixed version not specified in available data; consult the plugin repository or vendor advisory for the first patched release). Users should navigate to their WordPress admin dashboard, access Plugins, and update the theme-builder-for-elementor plugin to the latest available version. As a temporary workaround pending updates, administrators should avoid visiting untrusted websites while logged into WordPress admin accounts and educate users about CSRF risks. Full remediation details and patch confirmation are available on the Patchstack vulnerability database and the official plugin support channels.

Share

CVE-2025-54033 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy