CVE-2025-1639: CWE-862 Missing Authorization in crowdyTheme Animation Addons for Elementor Pro
The Animation Addons for Elementor Pro plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_elementor_plugin_handler() function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins which can be leveraged to further infect a victim when Elementor is not activated on a vulnerable site.
AI Analysis
Technical Summary
CVE-2025-1639 is a missing authorization vulnerability (CWE-862) in the Animation Addons for Elementor Pro plugin for WordPress. The flaw exists because the install_elementor_plugin_handler() function does not perform capability checks before allowing plugin installation and activation. As a result, any authenticated user with at least Subscriber privileges can install arbitrary plugins, potentially leading to site compromise. This affects all versions up to and including 1.6 of the plugin. The vulnerability has a CVSS v3.1 base score of 8.8, indicating high impact on confidentiality, integrity, and availability.
Potential Impact
An attacker with low-level authenticated access (Subscriber or above) can install and activate arbitrary plugins on the affected WordPress site. This can lead to full site compromise, including data theft, defacement, or further malware infection. The impact is high on confidentiality, integrity, and availability of the site. The vulnerability is particularly dangerous if Elementor is not active, as it allows bypassing normal plugin installation restrictions.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch links are provided. Users should monitor the vendor's advisory channels for updates and apply any forthcoming patches promptly. Until a fix is available, restrict user roles to trusted individuals only and consider disabling or removing the vulnerable plugin if possible to prevent exploitation.
CVE-2025-1639: CWE-862 Missing Authorization in crowdyTheme Animation Addons for Elementor Pro
Description
The Animation Addons for Elementor Pro plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_elementor_plugin_handler() function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins which can be leveraged to further infect a victim when Elementor is not activated on a vulnerable site.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-1639 is a missing authorization vulnerability (CWE-862) in the Animation Addons for Elementor Pro plugin for WordPress. The flaw exists because the install_elementor_plugin_handler() function does not perform capability checks before allowing plugin installation and activation. As a result, any authenticated user with at least Subscriber privileges can install arbitrary plugins, potentially leading to site compromise. This affects all versions up to and including 1.6 of the plugin. The vulnerability has a CVSS v3.1 base score of 8.8, indicating high impact on confidentiality, integrity, and availability.
Potential Impact
An attacker with low-level authenticated access (Subscriber or above) can install and activate arbitrary plugins on the affected WordPress site. This can lead to full site compromise, including data theft, defacement, or further malware infection. The impact is high on confidentiality, integrity, and availability of the site. The vulnerability is particularly dangerous if Elementor is not active, as it allows bypassing normal plugin installation restrictions.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch links are provided. Users should monitor the vendor's advisory channels for updates and apply any forthcoming patches promptly. Until a fix is available, restrict user roles to trusted individuals only and consider disabling or removing the vulnerable plugin if possible to prevent exploitation.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-02-24T17:04:42.711Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b16b7ef31ef0b54df7c
Added to database: 2/25/2026, 9:35:18 PM
Last enriched: 4/9/2026, 10:03:54 AM
Last updated: 4/12/2026, 3:44:52 PM
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.