The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the Import_Images::import() function due to insufficient controls on the filename specified. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Advisories
Source ID Title
EUVD EUVD EUVD-2025-24220 The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the Import_Images::import() function due to insufficient controls on the filename specified. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Fri, 15 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Elementor website Builder
CPEs cpe:2.3:a:elementor:website_builder:*:*:*:*:free:wordpress:*:*
Vendors & Products Elementor website Builder

Tue, 12 Aug 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor
Wordpress
Wordpress wordpress

Tue, 12 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 12 Aug 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the Import_Images::import() function due to insufficient controls on the filename specified. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Title Elementor <= 3.30.2 - Authenticated (Administrator+) Arbitrary File Read via Image Import
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2025-08-12T13:58:18.633Z

Reserved: 2025-07-23T12:26:55.980Z

Link: CVE-2025-8081

cve-icon Vulnrichment

Updated: 2025-08-12T13:58:14.003Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-12T06:15:26.403

Modified: 2025-08-15T18:00:55.213

Link: CVE-2025-8081

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-12T19:53:22Z