CVE-2025-8081
Elementor <= 3.30.2 - Authenticated (Administrator+) Arbitrary File Read via Image ImportThe Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the Import_Images::import() function due to insufficient controls on the filename specified. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
We have discovered 1,514,831 live websites that are affected by CVE-2025-8081.
Affected Software
| Product |  Elementor |
| Category | Landing Page Builders |
| Vulnerable Domains | 1,514,831 live websites (56% of Elementor install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 293 versions ( 95% of all versions) |
Common Weakness Enumeration
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Details
- Published - Aug 12, 2025
- Updated - Aug 12, 2025
Credits
- Michael Mazzolini (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-8081 United States | 401,781 websites |
 Germany | 141,326 websites |
 France | 83,522 websites |
 Italy | 66,097 websites |
 Brazil | 63,672 websites |
 GB | 63,106 websites |
 Spain | 52,541 websites |
 Netherlands | 44,528 websites |
 Poland | 41,771 websites |
 Russia | 33,327 websites |
Website Distribution by TLD
Number of websites using CVE-2025-8081| .com | 625,313 websites |
| .de | 75,741 websites |
| .com.br | 59,587 websites |
| .org | 58,268 websites |
| .it | 48,546 websites |
| .nl | 37,919 websites |
| .co.uk | 36,022 websites |
| .fr | 34,770 websites |
| .net | 33,261 websites |
| .pl | 31,982 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-8081
Top websites that are affected by CVE-2025-8081. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****.io | France | *** | |
| **************.de | Germany | *** | |
| ************.com | United States | *,*** | |
| ************.de | Germany | *,*** | |
| ****.net | United States | *,*** | |
| ***********.com | United States | *,*** | |
| *********.com | United States | *,*** | |
| ***.***.ca |  Canada | *,*** | |
| ***********.com | United States | *,*** | |
| **********.com | United States | *,*** |
FAQ
CVE-2025-8081 is Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Elementor
A total of 1,514,831 websites have been identified as vulnerable to CVE-2025-8081, based on global website indexing conducted by WebTechSurvey.
The Elementor is affected by the CVE-2025-8081 vulnerability.
Elementor versions up to and including 3.30.2 are vulnerable to CVE-2025-8081.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/13929b51-b32e-401c-a642-49f7cd2d07bf?source=cve
- https://plugins.trac.wordpress.org/browser/elementor/tags/3.30.2/includes/template-library/classes/class-import-images.php#L111
- https://github.com/elementor/elementor/commit/6af3551ee4213fb4003338743e22f41aa2a09c01
- https://plugins.trac.wordpress.org/changeset/3332233/elementor/trunk/includes/template-library/classes/class-import-images.php