cleantalk
Vulnerabilities and Security Researches

Blaze Demo Importer, CVE-2025-8446

CVE, Research URL

CVE-2025-8446

Home page URL

Security reports for Blaze Demo Importer

Application

Blaze Demo Importer

Published on
Sep 16, 2025
Research Description
The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized limited plugin install due to a missing capability check on the 'blaze_demo_importer_install_plugin' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate a limited number of specific plugins. The News Kit Elementor Addons plugin and a BlazeThemes theme must be installed and activated in order to exploit the vulnerability.
Affected versions
max 1.0.13.
Status
vulnerable
Previous vulnerability researches
Blaze Demo Importer (CVE-2025-13334) , Jan 10, 2026
Blaze Demo Importer (CVE-2025-8446) , Oct 12, 2025
New vulnerability
Pure WC Variation Swatches (CVE-2025-12820) , Jan 11, 2026
WP Scraper (CVE-2025-62088) , Jan 11, 2026
Chat Widget: Customer Support Button with SMS Call Button, Click to Chat Messenger Live Chat Support Chat Button – Bit As (CVE-2025-68596) , Jan 11, 2026
Free Follow-Up Emails & Marketing Automation for WooCommerce – ShopMagic (CVE-2025-69093) , Jan 11, 2026
SALESmanago (CVE-2025-68571) , Jan 11, 2026