CVE-2025-6253

The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.3.0 via the prepare_template() function due to a missing capability check and insufficient controls on the filename specified. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/changeset/3314574/uicore-elements#file3
https://www.wordfence.com/threat-intel/vulnerabilities/id/c7cd6e44-bd78-4eb8-bab8-09e2af583222?source=cve

Configurations

No configuration.

History

12 Aug 2025, 14:25

Type	Values Removed	Values Added
Summary		(es) El complemento UiCore Elements – Free Elementor widgets and templates para WordPress es vulnerable a la lectura arbitraria de archivos en todas las versiones hasta la 1.3.0 incluida, mediante la función prepare_template() debido a la falta de una comprobación de capacidad y a la insuficiencia de controles en el nombre de archivo especificado. Esto permite que atacantes no autenticados lean el contenido de archivos arbitrarios en el servidor, que pueden contener información confidencial.

12 Aug 2025, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-12 06:15

Updated : 2025-08-12 14:25

NVD link : CVE-2025-6253

Mitre link : CVE-2025-6253

CVE.ORG link : CVE-2025-6253

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

7.5 /10