Refine your search
4 vulnerabilities found for by bdthemes
CVE-2025-13196 (GCVE-0-2025-13196)
Vulnerability from cvelistv5
Published
2025-11-18 09:27
Modified
2025-11-18 21:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Open Street Map widget's marker content parameter in all versions up to, and including, 8.3.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the render function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bdthemes | Element Pack Addons for Elementor |
Version: * ≤ 8.3.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13196",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T21:32:58.756008Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T21:33:06.846Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Element Pack Addons for Elementor",
"vendor": "bdthemes",
"versions": [
{
"lessThanOrEqual": "8.3.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "D.Sim"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Open Street Map widget\u0027s marker content parameter in all versions up to, and including, 8.3.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the render function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T09:27:36.191Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0da6a080-260f-4b19-a32c-453d2781389a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3396544%40bdthemes-element-pack-lite\u0026old=3395028%40bdthemes-element-pack-lite\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-06T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-11-14T16:12:36.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-17T20:54:12.000+00:00",
"value": "Disclosed"
}
],
"title": "Element Pack Addons for Elementor \u003c= 8.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Open Street Map widget"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13196",
"datePublished": "2025-11-18T09:27:36.191Z",
"dateReserved": "2025-11-14T15:55:22.425Z",
"dateUpdated": "2025-11-18T21:33:06.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12134 (GCVE-0-2025-12134)
Vulnerability from cvelistv5
Published
2025-10-24 09:23
Modified
2025-10-24 12:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_popup_status() function in all versions up to, and including, 2.3.11. This makes it possible for unauthenticated attackers to enable/disable popups.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bdthemes | ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns |
Version: * ≤ 2.3.11 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12134",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-24T12:19:00.747923Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T12:30:05.035Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ZoloBlocks \u2013 Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates \u0026 Patterns",
"vendor": "bdthemes",
"versions": [
{
"lessThanOrEqual": "2.3.11",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jamie Davies"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ZoloBlocks \u2013 Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates \u0026 Patterns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_popup_status() function in all versions up to, and including, 2.3.11. This makes it possible for unauthenticated attackers to enable/disable popups."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T09:23:31.083Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/da9f89a2-f816-4445-8aea-11b622451ee9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3377160"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-23T21:06:17.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-23T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "ZoloBlocks \u003c= 2.3.11 - Missing Authorization to Unauthenticated Popup Enable/Disable"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12134",
"datePublished": "2025-10-24T09:23:31.083Z",
"dateReserved": "2025-10-23T20:51:09.503Z",
"dateUpdated": "2025-10-24T12:30:05.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49903 (GCVE-0-2025-49903)
Vulnerability from cvelistv5
Published
2025-10-22 14:32
Modified
2025-11-13 10:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in bdthemes ZoloBlocks zoloblocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ZoloBlocks: from n/a through <= 2.3.11.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bdthemes | ZoloBlocks |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-49903",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-23T15:09:59.607047Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-23T15:10:04.092Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "zoloblocks",
"product": "ZoloBlocks",
"vendor": "bdthemes",
"versions": [
{
"changes": [
{
"at": "2.3.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "\u003c= 2.3.11",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Que Thanh Tuan - Blue Rock (Patchstack Alliance)"
}
],
"datePublic": "2025-10-22T15:51:56.859Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in bdthemes ZoloBlocks zoloblocks allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects ZoloBlocks: from n/a through \u003c= 2.3.11.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in bdthemes ZoloBlocks zoloblocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ZoloBlocks: from n/a through \u003c= 2.3.11."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T10:33:40.702Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/zoloblocks/vulnerability/wordpress-zoloblocks-plugin-2-3-11-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress ZoloBlocks plugin \u003c= 2.3.11 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-49903",
"datePublished": "2025-10-22T14:32:10.215Z",
"dateReserved": "2025-06-11T16:06:34.447Z",
"dateUpdated": "2025-11-13T10:33:40.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11536 (GCVE-0-2025-11536)
Vulnerability from cvelistv5
Published
2025-10-20 21:23
Modified
2025-10-21 14:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 8.2.5 via the wp_ajax_import_elementor_template action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bdthemes | Element Pack Addons for Elementor |
Version: * ≤ 8.2.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11536",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-21T13:43:07.099730Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T14:09:22.901Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Element Pack Addons for Elementor",
"vendor": "bdthemes",
"versions": [
{
"lessThanOrEqual": "8.2.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "LionTree"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 8.2.5 via the wp_ajax_import_elementor_template action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T21:23:48.282Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/97c100c3-8a96-4198-b38a-206268ff20ec?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/tags/8.2.4/includes/setup-wizard/init.php#L420"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-29T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-10-09T11:42:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-20T08:59:46.000+00:00",
"value": "Disclosed"
}
],
"title": "Element Pack Addons for Elementor \u003c= 8.2.5 - Authenticated (Subscriber+) Blind Server-Side Request Forgery"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11536",
"datePublished": "2025-10-20T21:23:48.282Z",
"dateReserved": "2025-10-08T22:16:18.680Z",
"dateUpdated": "2025-10-21T14:09:22.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}