{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9029", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-14T10:13:04.839Z", "datePublished": "2025-10-04T02:24:38.389Z", "dateUpdated": "2026-04-08T17:30:38.404Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:38.404Z"}, "affected": [{"vendor": "posimyththemes", "product": "WDesignKit \u2013 Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.16", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WDesignKit \u2013 Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress is vulnerable to missing authorization via the wdkit_handle_review_submission function in versions less than, or equal to, 1.2.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to submit feedback data to external services."}], "title": "WDesignKit \u2013 Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder <= 1.2.16 - Missing Authentication via wdkit_handle_review_submission Function", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e89f0699-42be-403a-8cdb-31e214a85851?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wdesignkit/tags/1.2.17/includes/admin/notices/class-wdkit-review-form.php#L117"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-08-04T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-08-14T10:28:26.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-03T14:09:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-06T15:53:07.125644Z", "id": "CVE-2025-9029", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-06T15:53:17.973Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9029", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-06T15:53:07.125644Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-06T15:53:11.280Z"}}], "cna": {"title": "WDesignKit \u2013 Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder <= 1.2.16 - Missing Authentication via wdkit_handle_review_submission Function", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "posimyththemes", "product": "WDesignKit \u2013 Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.2.16"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-04T00:00:00.000+00:00", "value": "Discovered"}, {"lang": "en", "time": "2025-08-14T10:28:26.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-03T14:09:53.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e89f0699-42be-403a-8cdb-31e214a85851?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wdesignkit/tags/1.2.17/includes/admin/notices/class-wdkit-review-form.php#L117"}], "descriptions": [{"lang": "en", "value": "The WDesignKit \u2013 Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress is vulnerable to missing authorization via the wdkit_handle_review_submission function in versions less than, or equal to, 1.2.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to submit feedback data to external services."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-04T02:24:38.389Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9029", "state": "PUBLISHED", "dateUpdated": "2025-10-06T15:53:17.973Z", "dateReserved": "2025-08-14T10:13:04.839Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-04T02:24:38.389Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WDesignKit \u2013 Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress is vulnerable to missing authorization via the wdkit_handle_review_submission function in versions less than, or equal to, 1.2.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to submit feedback data to external services."}], "id": "CVE-2025-9029", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-04T03:15:38.290", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wdesignkit/tags/1.2.17/includes/admin/notices/class-wdkit-review-form.php#L117"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e89f0699-42be-403a-8cdb-31e214a85851?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:19:03.135999+00:00", "value": {"mitigation_remediation": ["Upgrade the WDesignKit plugin to version 1.2.17 or later. ", "As a temporary safeguard, disable or block the wdkit_handle_review_submission endpoint, for example by adding a rule in .htaccess or configuring a web\u2011application firewall to reject POST requests to that path. ", "Continuously monitor web server logs and any external services for unexpected review submissions and investigate any anomalies."], "summary": {"action": "Patch Now", "impact": "Unauthenticated Data Submission"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin WDesignKit \u2013 Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder, produced by posimyththemes. Versions up to and including 1.2.16 are impacted.", "description_and_impact": "A missing authorization check in the wdkit_handle_review_submission function of the WDesignKit \u2013 Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin allows unauthenticated users to submit arbitrary feedback data to external services. This flaw means that an attacker can send crafted information that the plugin forwards without verifying that the requester is a legitimate user, potentially leaking or tampering with data sent to third\u2011party services.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests that exploitation is currently unlikely. The flaw is not present in the CISA KEV catalog. Exploitation requires an unauthenticated HTTP request to the wdkit_handle_review_submission endpoint, making the attack vector a remote web request that can be performed from any host."}}}}, "created": "2025-10-06T14:42:01.126869+00:00", "updated": "2026-04-20T19:30:06.158823+00:00", "vendors": ["posimyththemes", "posimyththemes$PRODUCT$wdesignkit", "wordpress", "wordpress$PRODUCT$wordpress"]}