Blaze Demo Importer 1.0.0 – 1.0.13 – Missing Authorization to Authenticated (Subscriber+) Database Reset and File Deletion | CVE 2025-13334 | Plugin Vulnerabilities

Description

The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized database resets and file deletion due to a missing capability check on the "blaze_demo_importer_install_demo" function in all versions up to, and including, 1.0.13. This makes it possible for authenticated attackers, with subscriber level access and above, to reset the database by truncating all tables (except options, usermeta, and users), delete all sidebar widgets, theme modifications, and content of the uploads folder.

Affects Plugins

blaze-demo-importer

Fixed in 1.0.14

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d83cd6a0-d69c-4e6c-b76f-00c398b5f7e6

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

kr0d

Verified

No

WPVDB ID

796d7c2b-8ca9-4e58-acc1-a93176151dcf

Timeline

Publicly Published

2025-12-11 (about 5 months ago)

Added

2025-12-11 (about 5 months ago)

Last Updated

2025-12-12 (about 5 months ago)

Other

Published

Title

Published

2024-05-09

Title

MC Woocommerce Wishlist < 1.7.3 - Missing Authorization

Published

2023-11-07

Title

MSHOP MY SITE < 1.1.8 - Subscriber+ Settings Update

Published

2024-08-14

Title

Sensei LMS < 4.24.2 - Unauthenticated Email Template Leak

Published

2025-12-12

Title

Eyewear prescription form <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary WooCommerce Category Deletion

Published

2023-12-27

Title

WooCommerce Canada Post Shipping < 2.8.4 - Unauthenticated Unauthorised Action