Description
The WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress is vulnerable to missing authorization via the wdkit_handle_review_submission function in versions less than, or equal to, 1.2.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to submit feedback data to external services.
Published: 2025-10-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Data Submission
Action: Patch Now
AI Analysis

Impact

A missing authorization check in the wdkit_handle_review_submission function of the WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin allows unauthenticated users to submit arbitrary feedback data to external services. This flaw means that an attacker can send crafted information that the plugin forwards without verifying that the requester is a legitimate user, potentially leaking or tampering with data sent to third‑party services.

Affected Systems

The vulnerability affects the WordPress plugin WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder, produced by posimyththemes. Versions up to and including 1.2.16 are impacted.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests that exploitation is currently unlikely. The flaw is not present in the CISA KEV catalog. Exploitation requires an unauthenticated HTTP request to the wdkit_handle_review_submission endpoint, making the attack vector a remote web request that can be performed from any host.

Generated by OpenCVE AI on April 20, 2026 at 19:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WDesignKit plugin to version 1.2.17 or later.
  • As a temporary safeguard, disable or block the wdkit_handle_review_submission endpoint, for example by adding a rule in .htaccess or configuring a web‑application firewall to reject POST requests to that path.
  • Continuously monitor web server logs and any external services for unexpected review submissions and investigate any anomalies.

Generated by OpenCVE AI on April 20, 2026 at 19:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32417 The WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress is vulnerable to missing authorization via the wdkit_handle_review_submission function in versions less than, or equal to, 1.2.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to submit feedback data to external services.
History

Mon, 06 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Posimyththemes
Posimyththemes wdesignkit
Wordpress
Wordpress wordpress
Vendors & Products Posimyththemes
Posimyththemes wdesignkit
Wordpress
Wordpress wordpress

Sat, 04 Oct 2025 02:30:00 +0000

Type Values Removed Values Added
Description The WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress is vulnerable to missing authorization via the wdkit_handle_review_submission function in versions less than, or equal to, 1.2.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to submit feedback data to external services.
Title WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder <= 1.2.16 - Missing Authentication via wdkit_handle_review_submission Function
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Posimyththemes Wdesignkit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:38.404Z

Reserved: 2025-08-14T10:13:04.839Z

Link: CVE-2025-9029

cve-icon Vulnrichment

Updated: 2025-10-06T15:53:11.280Z

cve-icon NVD

Status : Deferred

Published: 2025-10-04T03:15:38.290

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9029

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:30:06Z

Weaknesses