平台
wordpress
组件
templines-helper-core
修复版本
2.8
CVE-2025-1295 is a privilege escalation vulnerability affecting the Templines Elementor Helper Core plugin for WordPress. An authenticated attacker with Subscriber-level access or higher can exploit this flaw to elevate their privileges to Administrator. This vulnerability impacts versions 0.0 through 2.7 of the plugin and requires the BuddyPress plugin to also be installed and active.
Successful exploitation of CVE-2025-1295 allows an attacker to gain complete administrative control over a WordPress site. This includes the ability to modify content, install/uninstall plugins, change user roles, access sensitive data, and potentially compromise the entire system. The requirement for BuddyPress to be installed narrows the attack surface somewhat, but many WordPress sites utilize BuddyPress for community features, increasing the potential impact. The ease of privilege escalation, requiring only Subscriber access, makes this a particularly concerning vulnerability.
CVE-2025-1295 was publicly disclosed on 2025-02-27. While no public exploits have been confirmed at the time of writing, the ease of exploitation and the potential for widespread impact suggest a medium probability of exploitation. It is recommended to prioritize patching this vulnerability. The vulnerability is not currently listed on the CISA KEV catalog.
WordPress sites utilizing the Templines Elementor Helper Core plugin, particularly those that also have the BuddyPress plugin installed and activated, are at risk. Shared hosting environments where users have Subscriber-level access and above are especially vulnerable, as attackers could potentially compromise multiple sites from a single compromised account.
• wordpress / composer / npm:
wp plugin list | grep Templines Elementor Helper Core• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status | grep BuddyPress• wordpress / composer / npm:
wp option get users_metadata_cache_enableddisclosure
漏洞利用状态
EPSS
0.20% (42% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-1295 is to immediately upgrade the Templines Elementor Helper Core plugin to version 2.8 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While a direct WAF rule is unlikely to be effective, restricting user meta update permissions via WordPress filters could offer a limited workaround. Regularly review user roles and permissions to identify any unauthorized Administrator accounts.
Actualice el plugin Templines Elementor Helper Core a la versión 2.8 o superior para solucionar la vulnerabilidad de escalada de privilegios. Asegúrese de que el plugin BuddyPress también esté actualizado a la última versión disponible.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-1295 is a vulnerability in the Templines Elementor Helper Core WordPress plugin allowing authenticated users to escalate privileges to Administrator if BuddyPress is installed. It's rated HIGH severity.
You are affected if you are using Templines Elementor Helper Core version 0.0 through 2.7 and have the BuddyPress plugin installed and activated on your WordPress site.
Upgrade the Templines Elementor Helper Core plugin to version 2.8 or later. If immediate upgrade is not possible, disable the plugin temporarily.
While no confirmed exploits are public, the ease of exploitation suggests a potential for active exploitation. Prioritize patching to mitigate the risk.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and release notes for version 2.8.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。