📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢
🌞 Spring into Summer with Wordfence! Now through September 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big!
💉 Participate in the SQLsplorer Challenge! Now through September 22, 2025, all SQL Injection vulnerabilities in software with at least 25 active installs are considered in-scope for all researchers, regardless of researcher tier AND earn a 20% bonus on all SQL Injection vulnerability submissions.
On June 13th, 2025, we received a submission for an Arbitrary File Read vulnerability in UiCore Elements, a WordPress plugin with more than 40,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to read arbitrary files on the server, which can contain sensitive information. During the disclosure process, our investigation revealed that the vulnerability leveraged an underlying issue in Elementor’s import functionality.
Props to mikemyers who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $617.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 18, 2025. Sites using the free version of Wordfence received the same protection 30 days later on July 18, 2025.
We contacted the UICORE team on June 18, 2025, and they registered on our Wordfence Vulnerability Management Portal for WordPress vendors on the next day, June 19, 2025. After receiving the full disclosure details instantly through the portal, the developer released the patch on the same day, June 19, 2025. We would like to commend the UICORE team for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of UiCore Elements, version 1.3.1 at the time of this publication, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
UiCore Elements
The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.3.0 via the prepare_template() function due to a missing capability check and insufficient controls on the filename specified. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Elementor
The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the Import_Images::import() function due to insufficient controls on the filename specified. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Technical Analysis
Examining the code reveals that the theme uses the prepare_template() function in the UiCoreElementsREST_API class to import templates.
register_rest_route('uielem/v1', '/prepare_template', [
'methods' => 'POST',
'callback' => [$this, 'prepare_template'],
'permission_callback' => '__return_true',
]);
Examining the code reveals that the permission check for this REST API endpoint registration is set to true. This means that this REST API endpoint is publicly accessible.
public function prepare_template(WP_REST_Request $request)
{
$template = $request->get_param('data');
$template = json_decode($template, true);
$template = DesignCloud::import_content($template);
return [
'success' => true,
'template' => $template,
];
}
static function import_content($content)
{
return ElementorPlugin::instance()->db->iterate_data(
$content,
function ($element_data) {
//change $element id
$element_data['id'] = ElementorUtils::generate_random_string();
$element = ElementorPlugin::instance()->elements_manager->create_element_instance($element_data);
if (!$element) {
return null;
}
return self::process_import_content($element);
}
);
}
static function process_import_content(ElementorControls_Stack $element)
{
$element_data = $element->get_data();
$method = 'on_import';
if (method_exists($element, $method)) {
$element_data = $element->{$method}($element_data);
}
This function uses Elementor’s import functionality. For images, it invokes the import() function in the ElementorTemplateLibraryClassesImport_Images class, which copies the contents of the file specified in the tmp_file parameter and uploads it as an image file.
public function import( $attachment, $parent_post_id = null ) {
if ( isset( $attachment['tmp_name'] ) ) {
// Used when called to import a directly-uploaded file.
$filename = $attachment['name'];
$file_content = Utils::file_get_contents( $attachment['tmp_name'] );
Unfortunately, this function does not include any file type or file source checks in the vulnerable version. This means that not only uploaded image files can be copied, but .php files can also be copied to the uploads folder with a .jpg extension, making them accessible and readable.
This ultimately makes it possible for unauthenticated attackers to read any arbitrary file on the server, including the site’s wp-config.php file, which contains the database settings and authentication unique keys and salts.
The Patch
The vendor of the UiCore Elements plugin patched this issue by adding the check_for_permission() function, which includes an administrator capability check to the REST API route’s permission_callback.
register_rest_route('uielem/v1', '/prepare_template', [
'methods' => 'POST',
'callback' => [$this, 'prepare_template'],
'permission_callback' => [$this, 'check_for_permission'],
]);
public function check_for_permission()
{
return current_user_can('manage_options');
}
Then the vendor informed us that the arbitrary file read vulnerability in the import function is in the Elementor plugin. After that, our Wordfence Threat Intelligence team validated the vulnerability, identified the vulnerable function, created a proof of concept, and reached out to the vendor of the Elementor plugin.
The vendor of the Elementor plugin patched this issue by adding a file source check using the is_uploaded_file() function.
public function import( $attachment, $parent_post_id = null ) {
if ( isset( $attachment['tmp_name'] ) ) {
// Used when called to import a directly-uploaded file.
$filename = $attachment['name'];
$file_content = false;
// security validation in case the tmp_name has been tampered with
if ( is_uploaded_file( $attachment['tmp_name'] ) ) {
$file_content = Utils::file_get_contents( $attachment['tmp_name'] );
}
Disclosure Timeline
June 13, 2025 – We received the submission for the Arbitrary File Read vulnerability in UiCore Elements via the Wordfence Bug Bounty Program.
June 17, 2025 – We validated the report and confirmed the proof-of-concept exploit.
June 18, 2025 – Wordfence Premium, Care, and Response users received a firewall rule to provide added protection against any exploits that may target this vulnerability.
June 18, 2025 – We initiated outreach to the vendor, letting them know we had a new vulnerability to disclose and offering them access to the Wordfence Vulnerability Management Portal to manage the disclosure.
June 19, 2025 – The vendor registered on our Wordfence Vulnerability Management Portal for WordPress vendors.
June 19, 2025 – The full disclosure details were sent instantly to the vendor upon registering and verifying ownership of their software. The vendor acknowledged the report and began working on a fix.
June 19, 2025 – The fully patched version of the UiCore Elements plugin, 1.3.1, was released.
July 10, 2025 – Wordfence Threat Intelligence team identified the vulnerable import function in the Elementor plugin.
July 10, 2025 – We sent over the full disclosure details to the vendor of the Elementor plugin.
July 18, 2025 – Wordfence Free users received the same protection.
July 22, 2025 – The fully patched version of the Elementor plugin, 3.30.3, was released.
Conclusion
In this blog post, we detailed an Arbitrary File Read vulnerability within the UiCore Elements plugin affecting versions 1.3.0 and earlier. This vulnerability allows unauthenticated threat actors to read arbitrary files, which can contain sensitive information. The vulnerability has been addressed in version 1.3.1 of the plugin.The related administrator-level arbitrary file read vulnerability within the Elementor plugin was patched in version 3.30.3 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of UiCore Elements as soon as possible considering the critical nature of this vulnerability.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 18, 2025. Sites using the free version of Wordfence received the same protection 30 days later on July 18, 2025.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
The post 40,000 WordPress Sites Affected by Arbitrary File Read Vulnerability in UiCore Elements WordPress Plugin appeared first on Wordfence.
