UiCore Elements < 1.3.1 – Missing Authorization to Unauthenticated Arbitrary File Read | CVE 2025-6253 | Plugin Vulnerabilities

Description

The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.3.0 via the prepare_template() function due to a missing capability check and insufficient controls on the filename specified. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Affects Plugins

uicore-elements

Fixed in 1.3.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c7cd6e44-bd78-4eb8-bab8-09e2af583222

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

mikemyers

Verified

No

WPVDB ID

99caf38a-de9a-4821-8412-5fbb2b0c88a8

Timeline

Publicly Published

2025-08-11 (about 10 months ago)

Added

2025-08-11 (about 10 months ago)

Last Updated

2025-08-12 (about 10 months ago)

Other

Published

Title

Published

2025-10-19

Title

BuddyForms <= 2.9.0 - Missing Authorization

Published

2025-01-14

Title

NitroPack < 1.17.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Transient Update

Published

2024-06-06

Title

Media Slider – Photo Sleder, Video Slider, Link Slider, Carousal Slideshow < 1.4.0 - Missing Authorization

Published

2025-05-30

Title

MaxiBlocks < 2.1.1 - Contributor+ Arbitrary Options Update

Published

2024-04-05

Title

MP3 Audio Player for Music, Radio & Podcast by Sonaar < 5.0 - Unauthenticated Arbitrary File Download