CVE-2025-8446: 
WordPress vulnerability analysis and mitigation

The Blaze Demo Importer plugin for WordPress (versions up to 1.0.12) contains a vulnerability identified as CVE-2025-8446, discovered and disclosed on September 16, 2025. The vulnerability affects WordPress installations with the Blaze Demo Importer plugin installed, specifically when the News Kit Elementor Addons plugin and a BlazeThemes theme are also active (NVD).

The vulnerability stems from a missing capability check on the 'blaze_demo_importer_install_plugin' function. This security flaw has been assigned a CVSS v3.1 base score of 4.3 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified under CWE-862 (Missing Authorization) (NVD, Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to install and activate a limited number of specific plugins. This capability bypass could potentially lead to unauthorized plugin installations on affected WordPress sites (NVD).

The vulnerability has been patched in version 1.0.13 of the Blaze Demo Importer plugin, which adds user capability checks to ajax functions. Users are advised to update to this version or later to mitigate the vulnerability (WordPress Plugin).