CVE-2025-8081

CWE-22 — Path Traversal CWE-288 CWE-441 CWE-79 — Cross-site Scripting (XSS)6 documents5 sources

Severity

4.9MEDIUM

EPSS

0.1%

top 79.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elementor Website Builder Elemntor Elementor Website Builder – More Than Just A Page Builder

Timeline

PublishedAug 12

Description

The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the Import_Images::import() function due to insufficient controls on the filename specified. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

▶NVDelementor/website_builder< 3.30.3

▶CVEListV5elemntor/elementor_website_builder_–_more_than_just_a_page_builder3.30.2

Patches

Patch: github.com ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

CVEList

Elementor <= 3.30.2 - Authenticated (Administrator+) Arbitrary File Read via Image Import↗2025-08-12

▶

GHSA

GHSA-4f9c-3v6f-46qp: The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3↗2025-08-12

▶

GHSA

Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload↗2025-05-05

▶

GHSA

Mitmweb API Authentication Bypass Using Proxy Server↗2025-02-06

▶

💥Exploits & PoCs

Exploit-DB

Grandstream GSD3710 1.0.11.13 - Stack Buffer Overflow↗2025-05-25

▶