CVE-2025-13334
Unknown Unknown - Not Provided
Unauthorized Database Reset in Blaze Demo Importer Plugin

Publication date: 2025-12-12

Last updated on: 2025-12-12

Assigner: Wordfence

Description
The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized database resets and file deletion due to a missing capability check on the "blaze_demo_importer_install_demo" function in all versions up to, and including, 1.0.13. This makes it possible for authenticated attackers, with subscriber level access and above, to reset the database by truncating all tables (except options, usermeta, and users), delete all sidebar widgets, theme modifications, and content of the uploads folder.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2025-12-12
Generated
2026-05-07
AI Q&A
2025-12-12
EPSS Evaluated
2026-05-05
NVD
CVE-2025-13334
EUVD
EUVD-2025-202963
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
blaze demo_importer *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Blaze Demo Importer plugin for WordPress has a vulnerability due to a missing capability check in the function "blaze_demo_importer_install_demo". This allows authenticated users with subscriber level access or higher to perform unauthorized actions such as resetting the database by truncating most tables, deleting sidebar widgets, theme modifications, and the contents of the uploads folder.


How can this vulnerability impact me? :

This vulnerability can lead to significant data loss and disruption. An attacker with subscriber level access can reset the database by removing most tables, delete sidebar widgets, theme customizations, and uploaded content, potentially causing loss of website functionality and data integrity.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately update the Blaze Demo Importer plugin to a version later than 1.0.13 where the missing capability check is fixed. Additionally, restrict subscriber level access and above from performing database reset or file deletion actions until the update is applied.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the Blaze Demo Importer plugin version 1.0.13 or earlier is installed on your WordPress site. Since the vulnerability allows authenticated users with subscriber level access or above to trigger the 'blaze_demo_importer_install_demo' function without proper capability checks, you can look for suspicious POST requests to admin-ajax.php with the action parameter set to 'blaze_demo_importer_install_demo'. For example, you can use network monitoring tools or web server logs to search for such requests. A sample command to search web server logs (assuming Apache) for such requests is: grep 'action=blaze_demo_importer_install_demo' /var/log/apache2/access.log. Additionally, you can check the installed plugin version via WP-CLI with: wp plugin list | grep blaze-demo-importer. If the version is 1.0.13 or below, the site is vulnerable. Monitoring for unexpected database resets or deletions of uploads folder content may also indicate exploitation attempts. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart