WordPress websites with plug-in UiCore Elements vulnerable
Attackers can target WordPress sites that have the UiCore Elements plug-in installed. A security patch is available for download.
(Image: David MG / Shutterstock.com)
The vulnerable WordPress plug-in UiCore Elements currently has around 40,000 active installations. Attackers can use two vulnerabilities to attack these sites. A repaired version has a patch.
Two gaps closed
Security researchers from Wordfence warned of the vulnerabilities in an article. With UiCore Elements, website operators can customize the look of their pages and add widgets, among other things.
Due to insufficient checks in the upload function, attackers can view files with sensitive information on servers without authentication (CVE-2025-6254 “high”). To exploit the second vulnerability (CVE-2025-8081 “medium”), attackers must already be authenticated as an admin.
There are currently no indications that attackers are already exploiting the vulnerabilities. However, admins should not hesitate too long with patching. Version 1.3.1 is secured.
Videos by heise
Most recently, security researchers warned of attempted attacks on the WordPress theme Alone.
(des)
