The Blaze Demo Importer plugin for WordPress, versions up to and including 1.0.13, suffers from a missing authorization check vulnerability identified as CVE-2025-13334 (CWE-862). The flaw exists in the 'blaze_demo_importer_install_demo' function, which lacks proper capability verification before executing critical operations. As a result, any authenticated user with subscriber-level privileges or higher can invoke this function to trigger a database reset that truncates all tables except 'options', 'usermeta', and 'users'. Additionally, the attacker can delete all sidebar widgets, theme modifications, and the contents of the uploads folder, which typically contains media files. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N), with low attack complexity (AC:L). The CVSS v3.1 score is 8.1, reflecting high impact on integrity and availability, though confidentiality is not affected. No patches are currently linked, and no known exploits have been observed in the wild, but the vulnerability poses a serious risk to WordPress sites using this plugin. The absence of authorization checks means that even low-privileged users can cause significant damage, potentially leading to data loss, website defacement, and service outages. This vulnerability highlights the importance of strict capability checks in WordPress plugin development to prevent privilege escalation and unauthorized destructive actions.

For European organizations, the impact of CVE-2025-13334 can be severe, particularly for businesses and institutions relying on WordPress websites for their online presence, e-commerce, or content management. The ability for low-privileged users to reset databases and delete critical site content threatens the integrity and availability of websites, potentially causing prolonged downtime and loss of customer trust. Organizations with subscriber-level user accounts—such as membership sites, forums, or multi-user blogs—are especially vulnerable if these accounts are compromised or misused. The deletion of uploads can result in permanent loss of media assets unless backups are available. This can disrupt marketing, communications, and operational activities. Additionally, recovery efforts may incur significant costs and resource allocation. The vulnerability could also be exploited as part of a broader attack chain, such as insider threats or automated attacks targeting weak user credentials. Given the widespread use of WordPress in Europe, the threat is non-trivial and requires urgent attention to prevent operational and reputational damage.

European organizations should immediately audit their WordPress installations to identify the presence of the Blaze Demo Importer plugin, especially versions up to 1.0.13. Since no official patch links are currently available, temporary mitigations include disabling or uninstalling the plugin until a secure update is released. Restrict user roles to minimize the number of subscriber-level accounts and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of account compromise. Implement strict monitoring and alerting for unusual database truncation or file deletion activities. Regularly back up WordPress databases and uploads folders with offsite storage to enable rapid recovery in case of exploitation. Review and harden WordPress user permissions and capabilities to ensure that only trusted users have access to sensitive functions. Consider deploying a Web Application Firewall (WAF) with custom rules to detect and block attempts to invoke the vulnerable function. Finally, stay informed about vendor updates and apply patches promptly once available.