Search criteria
4 vulnerabilities found for Blaze Demo Importer by blazethemes
CVE-2025-13334 (GCVE-0-2025-13334)
Vulnerability from nvd – Published: 2025-12-12 03:20 – Updated: 2025-12-12 18:39
VLAI?
Title
Blaze Demo Importer 1.0.0 - 1.0.13 - Missing Authorization to Authenticated (Subscriber+) Database Reset and File Deletion
Summary
The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized database resets and file deletion due to a missing capability check on the "blaze_demo_importer_install_demo" function in all versions up to, and including, 1.0.13. This makes it possible for authenticated attackers, with subscriber level access and above, to reset the database by truncating all tables (except options, usermeta, and users), delete all sidebar widgets, theme modifications, and content of the uploads folder.
Severity ?
8.1 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blazethemes | Blaze Demo Importer |
Affected:
1.0.0 , ≤ 1.0.13
(semver)
|
Credits
Kenneth Dunn
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13334",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T18:39:38.816851Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T18:39:51.275Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Blaze Demo Importer",
"vendor": "blazethemes",
"versions": [
{
"lessThanOrEqual": "1.0.13",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kenneth Dunn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized database resets and file deletion due to a missing capability check on the \"blaze_demo_importer_install_demo\" function in all versions up to, and including, 1.0.13. This makes it possible for authenticated attackers, with subscriber level access and above, to reset the database by truncating all tables (except options, usermeta, and users), delete all sidebar widgets, theme modifications, and content of the uploads folder."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T03:20:58.895Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d83cd6a0-d69c-4e6c-b76f-00c398b5f7e6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blaze-demo-importer/tags/1.0.13/blaze-demo-importer.php?marks=67-89#L68"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-06T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-12-11T15:12:44.000+00:00",
"value": "Disclosed"
}
],
"title": "Blaze Demo Importer 1.0.0 - 1.0.13 - Missing Authorization to Authenticated (Subscriber+) Database Reset and File Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13334",
"datePublished": "2025-12-12T03:20:58.895Z",
"dateReserved": "2025-11-17T20:03:30.316Z",
"dateUpdated": "2025-12-12T18:39:51.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8446 (GCVE-0-2025-8446)
Vulnerability from nvd – Published: 2025-09-16 11:17 – Updated: 2025-09-16 19:30
VLAI?
Title
Blaze Demo Importer <= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install
Summary
The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized limited plugin install due to a missing capability check on the 'blaze_demo_importer_install_plugin' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate a limited number of specific plugins. The News Kit Elementor Addons plugin and a BlazeThemes theme must be installed and activated in order to exploit the vulnerability.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blazethemes | Blaze Demo Importer |
Affected:
* , ≤ 1.0.12
(semver)
|
Credits
wesley
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8446",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-16T19:29:56.774556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T19:30:06.936Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Blaze Demo Importer",
"vendor": "blazethemes",
"versions": [
{
"lessThanOrEqual": "1.0.12",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized limited plugin install due to a missing capability check on the \u0027blaze_demo_importer_install_plugin\u0027 function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate a limited number of specific plugins. The News Kit Elementor Addons plugin and a BlazeThemes theme must be installed and activated in order to exploit the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T11:17:09.118Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a91bd1cf-ac63-4d65-b9fc-3fa2507cc27e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blaze-demo-importer/trunk/blaze-demo-importer.php#L91"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3361179/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-15T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Blaze Demo Importer \u003c= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-8446",
"datePublished": "2025-09-16T11:17:09.118Z",
"dateReserved": "2025-07-31T19:44:08.833Z",
"dateUpdated": "2025-09-16T19:30:06.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-13334 (GCVE-0-2025-13334)
Vulnerability from cvelistv5 – Published: 2025-12-12 03:20 – Updated: 2025-12-12 18:39
VLAI?
Title
Blaze Demo Importer 1.0.0 - 1.0.13 - Missing Authorization to Authenticated (Subscriber+) Database Reset and File Deletion
Summary
The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized database resets and file deletion due to a missing capability check on the "blaze_demo_importer_install_demo" function in all versions up to, and including, 1.0.13. This makes it possible for authenticated attackers, with subscriber level access and above, to reset the database by truncating all tables (except options, usermeta, and users), delete all sidebar widgets, theme modifications, and content of the uploads folder.
Severity ?
8.1 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blazethemes | Blaze Demo Importer |
Affected:
1.0.0 , ≤ 1.0.13
(semver)
|
Credits
Kenneth Dunn
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13334",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T18:39:38.816851Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T18:39:51.275Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Blaze Demo Importer",
"vendor": "blazethemes",
"versions": [
{
"lessThanOrEqual": "1.0.13",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kenneth Dunn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized database resets and file deletion due to a missing capability check on the \"blaze_demo_importer_install_demo\" function in all versions up to, and including, 1.0.13. This makes it possible for authenticated attackers, with subscriber level access and above, to reset the database by truncating all tables (except options, usermeta, and users), delete all sidebar widgets, theme modifications, and content of the uploads folder."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T03:20:58.895Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d83cd6a0-d69c-4e6c-b76f-00c398b5f7e6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blaze-demo-importer/tags/1.0.13/blaze-demo-importer.php?marks=67-89#L68"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-06T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-12-11T15:12:44.000+00:00",
"value": "Disclosed"
}
],
"title": "Blaze Demo Importer 1.0.0 - 1.0.13 - Missing Authorization to Authenticated (Subscriber+) Database Reset and File Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13334",
"datePublished": "2025-12-12T03:20:58.895Z",
"dateReserved": "2025-11-17T20:03:30.316Z",
"dateUpdated": "2025-12-12T18:39:51.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8446 (GCVE-0-2025-8446)
Vulnerability from cvelistv5 – Published: 2025-09-16 11:17 – Updated: 2025-09-16 19:30
VLAI?
Title
Blaze Demo Importer <= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install
Summary
The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized limited plugin install due to a missing capability check on the 'blaze_demo_importer_install_plugin' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate a limited number of specific plugins. The News Kit Elementor Addons plugin and a BlazeThemes theme must be installed and activated in order to exploit the vulnerability.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blazethemes | Blaze Demo Importer |
Affected:
* , ≤ 1.0.12
(semver)
|
Credits
wesley
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8446",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-16T19:29:56.774556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T19:30:06.936Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Blaze Demo Importer",
"vendor": "blazethemes",
"versions": [
{
"lessThanOrEqual": "1.0.12",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized limited plugin install due to a missing capability check on the \u0027blaze_demo_importer_install_plugin\u0027 function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate a limited number of specific plugins. The News Kit Elementor Addons plugin and a BlazeThemes theme must be installed and activated in order to exploit the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T11:17:09.118Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a91bd1cf-ac63-4d65-b9fc-3fa2507cc27e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blaze-demo-importer/trunk/blaze-demo-importer.php#L91"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3361179/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-15T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Blaze Demo Importer \u003c= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-8446",
"datePublished": "2025-09-16T11:17:09.118Z",
"dateReserved": "2025-07-31T19:44:08.833Z",
"dateUpdated": "2025-09-16T19:30:06.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}