CVE-2025-9029
WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder <= 1.2.16 - Missing Authentication via wdkit_handle_review_submission FunctionThe WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress is vulnerable to missing authorization via the wdkit_handle_review_submission function in versions less than, or equal to, 1.2.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to submit feedback data to external services.
We have discovered 282 live websites that are affected by CVE-2025-9029.
Affected Software
| Product |  Wdesignkit |
| Category | Wordpress Plugins |
| Vulnerable Domains | 282 live websites (96% of Wdesignkit install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 7 versions ( 39% of all versions) |
Common Weakness Enumeration
CWE-862 Missing AuthorizationDetails
- Published - Oct 4, 2025
- Updated - Apr 8, 2026
Credits
- Peter Thaleikis (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-9029 United States | 65 websites |
 Germany | 22 websites |
 India | 14 websites |
 Spain | 14 websites |
 South Africa | 13 websites |
 GB | 12 websites |
 France | 11 websites |
 Cyprus | 10 websites |
 Italy | 9 websites |
 Iran | 9 websites |
Website Distribution by TLD
Number of websites using CVE-2025-9029| .com | 113 websites |
| .de | 15 websites |
| .org | 12 websites |
| .net | 9 websites |
| .es | 7 websites |
| .nl | 7 websites |
| .com.au | 7 websites |
| .com.br | 7 websites |
| .it | 6 websites |
| .fr | 5 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-9029
Top websites that are affected by CVE-2025-9029. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***********.com | United States | ***,*** | |
| *********.com |  Canada | ***,*** | |
| ***.it | Italy | ***,*** | |
| ********.nl |  Netherlands | ***,*** | |
| **************.com | GB | ***,*** | |
| **************.net | United States | ***,*** | |
| *************.com | United States | *,***,*** | |
| **********.**.mz |  Mozambique | *,***,*** | |
| ****************.com | United States | *,***,*** | |
| *******************.de | Germany | *,***,*** |
FAQ
CVE-2025-9029 is Missing Authorization in Wdesignkit
A total of 282 websites have been identified as vulnerable to CVE-2025-9029, based on global website indexing conducted by WebTechSurvey.
The Wdesignkit is affected by the CVE-2025-9029 vulnerability.
Wdesignkit versions up to and including 1.2.16 are vulnerable to CVE-2025-9029.