WordPress Plugin Vulnerabilities

Elementor < 3.30.3 - Admin+ Arbitrary File Read via Image Import

Description

The plugin is vulnerable to Arbitrary File Read via the Import_Images::import() function due to insufficient controls on the filename specified. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Affects Plugins

Plugin icon
elementor
Fixed in 3.30.3

References

CVE
CVE-2025-8081
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/13929b51-b32e-401c-a642-49f7cd2d07bf

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
4.9 (medium)

Miscellaneous

Original Researcher
mikemyers
Verified
No
WPVDB ID
87fd0b78-c0e8-43a8-8b52-bd7a294a96e0

Timeline

Publicly Published
2025-08-11 (about 7 months ago)
Added
2025-08-11 (about 7 months ago)
Last Updated
2025-08-11 (about 7 months ago)

Other

Published
Title
Published
2023-12-27
Title
Product Catalog Simple < 1.7.7 - Sensitive Information Exposure via Product CSV
Published
2025-12-04
Title
SurveyFunnel – Survey Plugin for WordPress <= 1.1.5 - Unauthenticated Information Exposure
Published
2025-06-13
Title
Sharable Password Protected Posts < 1.1.1 - Unauthenticated Password Protect Post Access
Published
2025-09-29
Title
Upload.am < 1.0.1 - Contributor+ Arbitrary Option Update
Published
2025-09-26
Title
Page Manager for Elementor <= 2.0.5 - Authenticated (Subscriber+) Sensitive Information Exposure