Description
The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the Import_Images::import() function due to insufficient controls on the filename specified. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Published: 2025-08-12
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Apply Patch
AI Analysis

Impact

The Elementor plugin for WordPress contains a file name validation flaw in the Import_Images::import() method, allowing an authenticated user with administrator privileges or higher to read the contents of arbitrary files on the server. This flaw falls under CWE-22 and can lead to the disclosure of sensitive data such as configuration files, credentials, or any files accessible to the web application. The risk is limited to confidentiality exposure; the flaw does not directly provide code execution or denial of service.

Affected Systems

All installations of Elementor version 3.30.2 or earlier on any WordPress site, including both free and commercial deployments of the Elementor Website Builder plugin. The vulnerability affects the entire plugin and not any specific sub‑components beyond the image import functionality.

Risk and Exploitability

The CVSS score of 4.9 categorizes the vulnerability as moderate, and the EPSS score of less than 1% indicates a low current exploitation probability. The flaw is not listed in the CISA KEV catalog. Exploitation requires that the attacker already has administrator-level access on the WordPress site. No additional network access is needed beyond what an authenticated administrator possesses. The attack vector is therefore internal to the WordPress environment and is most likely to be abused by compromised or malicious administrative accounts.

Generated by OpenCVE AI on April 22, 2026 at 14:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Elementor to the latest version that addresses the file name validation issue.
  • If upgrading is not possible, restrict or remove the image import feature from the plugin or block access to the Import_Images::import() method for non‑essential roles.
  • Implement monitoring or logging of file read operations to detect suspicious activity, especially by administrator accounts.
  • Apply file system permissions that prevent the WordPress process from accessing directories that contain sensitive files.

Generated by OpenCVE AI on April 22, 2026 at 14:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24220 The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the Import_Images::import() function due to insufficient controls on the filename specified. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
History

Fri, 15 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Elementor website Builder
CPEs cpe:2.3:a:elementor:website_builder:*:*:*:*:free:wordpress:*:*
Vendors & Products Elementor website Builder

Tue, 12 Aug 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor
Wordpress
Wordpress wordpress

Tue, 12 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 Aug 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the Import_Images::import() function due to insufficient controls on the filename specified. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Title Elementor <= 3.30.2 - Authenticated (Administrator+) Arbitrary File Read via Image Import
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Elementor Elementor Website Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:39.960Z

Reserved: 2025-07-23T12:26:55.980Z

Link: CVE-2025-8081

cve-icon Vulnrichment

Updated: 2025-08-12T13:58:14.003Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-12T06:15:26.403

Modified: 2025-08-15T18:00:55.213

Link: CVE-2025-8081

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:45:19Z

Weaknesses