The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized limited plugin install due to a missing capability check on the 'blaze_demo_importer_install_plugin' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate a limited number of specific plugins. The News Kit Elementor Addons plugin and a BlazeThemes theme must be installed and activated in order to exploit the vulnerability.
Metrics
Affected Vendors & Products
References
History
Wed, 17 Sep 2025 11:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Wordpress
Wordpress wordpress |
|
Vendors & Products |
Wordpress
Wordpress wordpress |
Tue, 16 Sep 2025 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Tue, 16 Sep 2025 11:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized limited plugin install due to a missing capability check on the 'blaze_demo_importer_install_plugin' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate a limited number of specific plugins. The News Kit Elementor Addons plugin and a BlazeThemes theme must be installed and activated in order to exploit the vulnerability. | |
Title | Blaze Demo Importer <= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install | |
Weaknesses | CWE-862 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2025-09-16T19:30:06.936Z
Reserved: 2025-07-31T19:44:08.833Z
Link: CVE-2025-8446

Updated: 2025-09-16T19:30:00.680Z

Status : Awaiting Analysis
Published: 2025-09-16T12:15:34.380
Modified: 2025-09-16T12:49:16.060
Link: CVE-2025-8446

No data.