CVE-2025-8446: CWE-862 Missing Authorization in blazethemes Blaze Demo Importer
The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized limited plugin install due to a missing capability check on the 'blaze_demo_importer_install_plugin' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate a limited number of specific plugins. The News Kit Elementor Addons plugin and a BlazeThemes theme must be installed and activated in order to exploit the vulnerability.
AI Analysis
Technical Summary
The Blaze Demo Importer plugin for WordPress suffers from a missing capability check in the 'blaze_demo_importer_install_plugin' function, enabling authenticated users with low privileges (Subscriber and above) to install and activate a limited set of plugins. This vulnerability affects all versions up to and including 1.0.12. Successful exploitation depends on the News Kit Elementor Addons plugin and a BlazeThemes theme being installed and active. The issue is tracked as CWE-862 (Missing Authorization). The CVSS v3.1 base score is 4.3, reflecting a network attack vector, low attack complexity, and limited impact on integrity without confidentiality or availability impact. No known exploits are reported in the wild.
Potential Impact
An attacker with authenticated Subscriber-level access or higher can install and activate specific plugins without proper authorization, potentially leading to unauthorized changes in the WordPress environment. The impact is limited to integrity as no confidentiality or availability impacts are indicated. The vulnerability requires certain plugins/themes to be present, limiting the scope of exploitation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict user roles to trusted users only and monitor plugin installations closely. Avoid installing or activating the News Kit Elementor Addons plugin and BlazeThemes themes if possible, as these are prerequisites for exploitation.
CVE-2025-8446: CWE-862 Missing Authorization in blazethemes Blaze Demo Importer
Description
The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized limited plugin install due to a missing capability check on the 'blaze_demo_importer_install_plugin' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate a limited number of specific plugins. The News Kit Elementor Addons plugin and a BlazeThemes theme must be installed and activated in order to exploit the vulnerability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Blaze Demo Importer plugin for WordPress suffers from a missing capability check in the 'blaze_demo_importer_install_plugin' function, enabling authenticated users with low privileges (Subscriber and above) to install and activate a limited set of plugins. This vulnerability affects all versions up to and including 1.0.12. Successful exploitation depends on the News Kit Elementor Addons plugin and a BlazeThemes theme being installed and active. The issue is tracked as CWE-862 (Missing Authorization). The CVSS v3.1 base score is 4.3, reflecting a network attack vector, low attack complexity, and limited impact on integrity without confidentiality or availability impact. No known exploits are reported in the wild.
Potential Impact
An attacker with authenticated Subscriber-level access or higher can install and activate specific plugins without proper authorization, potentially leading to unauthorized changes in the WordPress environment. The impact is limited to integrity as no confidentiality or availability impacts are indicated. The vulnerability requires certain plugins/themes to be present, limiting the scope of exploitation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict user roles to trusted users only and monitor plugin installations closely. Avoid installing or activating the News Kit Elementor Addons plugin and BlazeThemes themes if possible, as these are prerequisites for exploitation.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-07-31T19:44:08.833Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68c9496f561c5e692a3e1c60
Added to database: 9/16/2025, 11:26:39 AM
Last enriched: 4/9/2026, 10:53:18 AM
Last updated: 5/10/2026, 2:31:54 AM
Views: 197
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.