CVE-2025-13334
📋 TL;DR
The Blaze Demo Importer WordPress plugin allows authenticated attackers with subscriber-level access or higher to reset the database, delete files, and remove site customizations due to missing capability checks. This affects all WordPress sites using the plugin up to version 1.0.13. Attackers can cause complete data loss and site disruption.
💻 Affected Systems
- Blaze Demo Importer WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site destruction: all content, media files, and customizations deleted, database tables truncated except core user tables, requiring full restoration from backups.
Likely Case
Site administrators discover content missing, widgets removed, and media files deleted, requiring partial restoration and investigation.
If Mitigated
With proper access controls and monitoring, exploitation attempts are detected and blocked before significant damage occurs.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial once authenticated. Public proof-of-concept code exists in vulnerability disclosures.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.14 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/blaze-demo-importer/tags/1.0.14/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Blaze Demo Importer. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 1.0.14+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily deactivate the vulnerable plugin until patched
wp plugin deactivate blaze-demo-importer
Restrict User Roles
linuxRemove subscriber and higher roles from untrusted users
wp user list --role=subscriber --field=ID | xargs wp user set-role {ID} none
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to the vulnerable function
- Enable detailed logging and monitoring for database truncation and file deletion activities
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins or run: wp plugin get blaze-demo-importer --field=versionCheck Version:
wp plugin get blaze-demo-importer --field=versionVerify Fix Applied:
Confirm plugin version is 1.0.14 or higher and test that authenticated subscribers cannot access demo import functions📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=blaze_demo_importer_install_demo
- Database truncation operations in MySQL logs
- File deletion operations in uploads directory
Network Indicators:
- Unusual admin-ajax.php requests from subscriber-level accounts
- Burst of DELETE HTTP requests
SIEM Query:
source="wordpress.log" AND "blaze_demo_importer_install_demo" AND user_role="subscriber"