Arbitrary File Read Vulnerability in UiCore Elements Plugin for WordPress
CVE-2025-6253

7.5HIGH

Key Information:

Vendor: WordPress
Status: Uicore Elements – Free Elementor Widgets And Templates
Vendor: CVE Published:; 12 August 2025

What is CVE-2025-6253?

The UiCore Elements plugin for WordPress, which provides free Elementor widgets and templates, has a security flaw that allows unauthorized users to exploit the prepare_template() function. Due to the absence of appropriate capability checks and lax controls on the filenames, attackers can potentially read sensitive files on the server. This vulnerability, present in all versions up to 1.3.0, poses a significant risk of exposing confidential information stored on the web server.

Affected Version(s)

UiCore Elements – Free Elementor widgets and templates * <= 1.3.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3314574/uico...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 12, 2025
Vulnerability Reserved
Jun 18, 2025

Credit

Michael Mazzolini