WordPress plugin UiCore Elements affected by arbitrary file read bug

The WordPress plugin UiCore Elements was found to be affected by a high-severity vulnerability allowing unauthenticated users to read arbitrary files, according to a Wordfence blog post published Monday.

UiCore Elements provides customizable widgets and templates for users of the Elementor WordPress website builder, and has more than 40,000 active installations.

The vulnerability, tracked as CVE-2025-6253, has a CVSS score of 7.5 and is rooted in two main flaws: an exposed API and a bug in the Elementor plugin itself.

The REST API endpoint used to import templates via the prepare_template() function in UiCore Elements was found to be publicly accessible, allowing any unauthenticated user to access the endpoint.

Additionally, the prepare_template() function uses the import() function of Elementor, which was found to be affected by an insufficient filename controls flaw, tracked as CVE-2025-8081. This means, although the function is meant to only handle images, any other file type, including PHP files, can be imported using this function.

This combination of flaws meant that an unauthenticated attacker could make an API call specifying any file on the server to be copied to the uploads folder, making it available online. This could include the wp-config.php file, which contains sensitive information including database credentials and authentication keys.

The unauthenticated arbitrary file read flaw was discovered by a researcher known as "mikemyers" and reported through Wordfence’s Bug Bounty Program. The researcher earned $617 for the discovery.

UiCore released a patch for CVE-2025-6253 in version 1.3.1 on June 19, 2025, one day after receiving Wordfence’s report. After Wordfence Threat Intelligence identified Elementor’s import() function as the source of arbitrary file read, it was reported to Elementor on July 10 and fully patched in Elementor version 3.30.3 on July 22.

Users of UiCore Elements versions 1.30.0 or earlier are recommended to upgrade to version 1.3.1 to prevent exploitation of CVE-2025-6253. Elementor users should also update to version 3.30.3.