CVE-2025-9029

MEDIUM

WDesignKit <= 1.2.16 - Unauthenticated Missing Authorization via wdkit_handle_review_submission

Title source: llm

Description

The WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress is vulnerable to missing authorization via the wdkit_handle_review_submission function in versions less than, or equal to, 1.2.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to submit feedback data to external services.

References (2)

Core 2

Core References

Product

https://plugins.trac.wordpress.org/browser/wdesignkit/tags/1.2.17/includes/admin/notices/class-wdkit-review-form.php#L117

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/e89f0699-42be-403a-8cdb-31e214a85851?source=cve

Scores

CVSS v3 4.3

EPSS 0.0019

EPSS Percentile 8.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (1)

posimyththemes/WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder < 1.2.16

Published Oct 04, 2025

Tracked Since Feb 18, 2026