Platform
wordpress
Component
templines-helper-core
Fixed in
2.8
CVE-2025-1295 is a privilege escalation vulnerability affecting the Templines Elementor Helper Core plugin for WordPress. An authenticated attacker with Subscriber-level access or higher can exploit this flaw to elevate their privileges to Administrator. This vulnerability impacts versions 0.0 through 2.7 of the plugin and requires the BuddyPress plugin to also be installed and active.
Successful exploitation of CVE-2025-1295 allows an attacker to gain complete administrative control over a WordPress site. This includes the ability to modify content, install/uninstall plugins, change user roles, access sensitive data, and potentially compromise the entire system. The requirement for BuddyPress to be installed narrows the attack surface somewhat, but many WordPress sites utilize BuddyPress for community features, increasing the potential impact. The ease of privilege escalation, requiring only Subscriber access, makes this a particularly concerning vulnerability.
CVE-2025-1295 was publicly disclosed on 2025-02-27. While no public exploits have been confirmed at the time of writing, the ease of exploitation and the potential for widespread impact suggest a medium probability of exploitation. It is recommended to prioritize patching this vulnerability. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.20% (42% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-1295 is to immediately upgrade the Templines Elementor Helper Core plugin to version 2.8 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While a direct WAF rule is unlikely to be effective, restricting user meta update permissions via WordPress filters could offer a limited workaround. Regularly review user roles and permissions to identify any unauthorized Administrator accounts.
Update the Templines Elementor Helper Core plugin to version 2.8 or higher to remediate the privilege escalation vulnerability. Ensure that the BuddyPress plugin is also updated to the latest available version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-1295 is a vulnerability in the Templines Elementor Helper Core WordPress plugin allowing authenticated users to escalate privileges to Administrator if BuddyPress is installed. It's rated HIGH severity.
You are affected if you are using Templines Elementor Helper Core version 0.0 through 2.7 and have the BuddyPress plugin installed and activated on your WordPress site.
Upgrade the Templines Elementor Helper Core plugin to version 2.8 or later. If immediate upgrade is not possible, disable the plugin temporarily.
While no confirmed exploits are public, the ease of exploitation suggests a potential for active exploitation. Prioritize patching to mitigate the risk.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and release notes for version 2.8.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.