{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6253", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-18T19:40:23.039Z", "datePublished": "2025-08-12T05:27:09.881Z", "dateUpdated": "2026-04-08T17:21:28.951Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:28.951Z"}, "affected": [{"vendor": "uicore", "product": "UiCore Elements \u2013 Free widgets and templates for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The UiCore Elements \u2013 Free Elementor widgets and templates plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.3.0 via the prepare_template() function due to a missing capability check and insufficient controls on the filename specified. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information."}], "title": "UiCore Elements <= 1.3.0 - Missing Authorization to Unauthenticated Arbitrary File Read", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7cd6e44-bd78-4eb8-bab8-09e2af583222?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3314574/uicore-elements#file3"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "timeline": [{"time": "2025-06-19T07:23:56.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-11T17:05:09.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-12T13:54:44.848055Z", "id": "CVE-2025-6253", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-12T13:54:49.905Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6253", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-12T13:54:44.848055Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-12T13:54:47.085Z"}}], "cna": {"title": "UiCore Elements <= 1.3.0 - Missing Authorization to Unauthenticated Arbitrary File Read", "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "uicore", "product": "UiCore Elements \u2013 Free widgets and templates for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.3.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-19T07:23:56.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-11T17:05:09.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7cd6e44-bd78-4eb8-bab8-09e2af583222?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3314574/uicore-elements#file3"}], "descriptions": [{"lang": "en", "value": "The UiCore Elements \u2013 Free Elementor widgets and templates plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.3.0 via the prepare_template() function due to a missing capability check and insufficient controls on the filename specified. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:28.951Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6253", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:21:28.951Z", "dateReserved": "2025-06-18T19:40:23.039Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-12T05:27:09.881Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The UiCore Elements \u2013 Free Elementor widgets and templates plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.3.0 via the prepare_template() function due to a missing capability check and insufficient controls on the filename specified. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information."}, {"lang": "es", "value": "El complemento UiCore Elements \u2013 Free Elementor widgets and templates para WordPress es vulnerable a la lectura arbitraria de archivos en todas las versiones hasta la 1.3.0 incluida, mediante la funci\u00f3n prepare_template() debido a la falta de una comprobaci\u00f3n de capacidad y a la insuficiencia de controles en el nombre de archivo especificado. Esto permite que atacantes no autenticados lean el contenido de archivos arbitrarios en el servidor, que pueden contener informaci\u00f3n confidencial."}], "id": "CVE-2025-6253", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-12T06:15:26.203", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3314574/uicore-elements#file3"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7cd6e44-bd78-4eb8-bab8-09e2af583222?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:58:35.149128+00:00", "value": {"mitigation_remediation": ["Upgrade the UiCore Elements plugin to the latest version that includes the missing authorization check.", "If an upgrade is not immediately possible, disable the plugin or block access to its endpoints until a fix is available.", "Restrict file system permissions so that the web server can access only the necessary plugin files, preventing the arbitrary read of sensitive documents."], "summary": {"action": "Immediate Patch", "impact": "Information disclosure via arbitrary file read"}, "threat_synthesis": {"affected_systems": "All releases of the UiCore Elements plugin up to and including version\u202f1.3.0 from vendor uicore are affected. Any WordPress site installing the plugin can be impacted if it has not applied a newer version.", "description_and_impact": "The UiCore Elements plugin for WordPress allows unauthenticated users to read arbitrary file contents due to a missing capability check in the prepare_template() function, exposing sensitive data. This flaw represents a CWE\u2011862 authorization failure and can lead to disclosure of critical files such as configuration or credential files, potentially enabling further compromise.", "risk_and_exploitability": "The vulnerability carries a CVSS score of\u202f7.5, indicating high severity. However, the EPSS score of less than\u202f1% suggests that overall exploitation is unlikely at present, and it is not listed in the CISA KEV catalog. The most probable attack vector is an unauthenticated HTTP request to the plugin\u2019s prepare_template() endpoint, where the attacker supplies a crafted filename."}}}}, "created": "2026-04-20T20:00:10.531514+00:00", "updated": "2026-04-20T20:00:10.531526+00:00", "vendors": []}