Blaze Demo Importer < 1.0.13 – Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install | CVE 2025-8446 | Plugin Vulnerabilities

Description

The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized limited plugin install due to a missing capability check on the 'blaze_demo_importer_install_plugin' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate a limited number of specific plugins. The News Kit Elementor Addons plugin and a BlazeThemes theme must be installed and activated in order to exploit the vulnerability.

Affects Plugins

blaze-demo-importer

Fixed in 1.0.13

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a91bd1cf-ac63-4d65-b9fc-3fa2507cc27e

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

wesley (wcraft)

Verified

No

WPVDB ID

e8b9a4e0-8e18-446c-b227-66ec320ac8a5

Timeline

Publicly Published

2025-09-15 (about 8 months ago)

Added

2025-09-15 (about 8 months ago)

Last Updated

2025-09-16 (about 8 months ago)

Other

Published

Title

Published

2022-04-11

Title

Wbcom Designs Plugins - Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation

Published

2025-04-07

Title

Flo Forms <= 1.0.43 - Missing Authorization

Published

2023-11-06

Title

Seraphinite Accelerator < 2.20.32 - Unauthorised Settings Reset/Import

Published

2024-03-28

Title

Events Manager < 6.4.7 - Missing Authorization

Published

2026-01-09

Title

Add Expires Headers & Optimized Minify < 3.3.0 - Missing Authorization