CVE-2025-6253: 
WordPress vulnerability analysis and mitigation

The UiCore Elements – Free Elementor widgets and templates plugin for WordPress has been identified with vulnerability CVE-2025-6253, discovered on August 12, 2025. This vulnerability affects all versions up to and including 1.3.0 of the plugin. The issue stems from a missing capability check and insufficient controls on the filename specified in the prepare_template() function (NVD Database).

The vulnerability is classified as a Missing Authorization (CWE-862) issue. It has received a CVSS v3.1 Base Score of 7.5 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This scoring indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges or user interaction, and can result in high confidentiality impact (NVD Database).

The vulnerability allows unauthenticated attackers to read the contents of arbitrary files on the server. This access to sensitive information could potentially expose critical system data, configuration files, or other confidential information stored on the affected WordPress installations (NVD Database).

Users of the UiCore Elements plugin should immediately update their installations to a version newer than 1.3.0 if available. Until an update is possible, it is recommended to consider temporarily disabling the plugin to prevent potential exploitation (NVD Database).