CVE-2025-6253 HIGH

CVE-2025-6253: UiCore Elements <= 1.3.0 - Missing Authorization to Unauthenticated Arbitrary File Read

Vendor Uicore
Product UiCore Elements – Free widgets and templates for Elementor
Weakness CWE-862 · Missing authorization
Published August 12, 2025
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.3.0 via the prepare_template() function due to a missing capability check and insufficient controls on the filename specified. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Key dates

02Disclosure timeline

August 12, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-24021 iTop doesn't have mass assignment of fields in the portal form CVE-2026-39704 WordPress Precious Metals Automated Product Pricing – Pro plugin <= 4.0.5 - Broken Access Control vulnerability CVE-2020-36716 WP Activity Log <= 4.0.1 - Missing Authorization CVE-2026-6512 InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Arbitrary Post Deletion via Multiple Parameters CVE-2025-26773 WordPress Analytify plugin <= 5.5.0 - Broken Access Control vulnerability