The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the Import_Images::import() function due to insufficient controls on the filename specified. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
{
"cwe_ids": [
"CWE-22"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/8xxx/CVE-2025-8081.json",
"cna_assigner": "Wordfence"
}{
"cpe": "cpe:2.3:a:elementor:website_builder:*:*:*:*:free:wordpress:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "3.30.3"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}