Starter Templates Vulnerability – Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass – CVE-2025-13065 | WordPress Plugin Vulnerability Report

Plugin Name: Starter Templates – AI-Powered Templates for Elementor & Gutenberg

Key Information:

Software Type: Plugin
Software Slug: astra-sites
Software Status: Active
Software Author: brainstormforce
Software Downloads: 86,521,101
Active Installs: 2,000,000
Last Updated: December 6, 2025
Patched Versions: 4.4.42
Affected Versions: ≤ 4.4.41

Vulnerability Details:

Name: Starter Templates ≤ 4.4.41 – Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass
Title: Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass
Type: Unrestricted Upload of File with Dangerous Type
CVE: CVE-2025-13065
CVSS Score: 8.8 (High)
Publicly Published: December 5, 2024
Researcher: mikemyers
Description:
The Starter Templates plugin for WordPress is vulnerable to arbitrary file upload due to insufficient file type validation detecting WXR files in all versions up to, and including, 4.4.41. The vulnerability allows double-extension files (e.g., .php.wxr) to bypass sanitization and be accepted as valid WXR files. This makes it possible for authenticated attackers with Author-level access and above to upload arbitrary files to the affected site’s server, potentially leading to remote code execution (RCE).

Summary:

The Starter Templates plugin for WordPress has a vulnerability in versions up to and including 4.4.41 that allows authenticated users with Author-level access and above to upload arbitrary files to the server. This vulnerability could lead to remote code execution and complete site compromise. The issue has been patched in version 4.4.42.

Detailed Overview:

This high-severity vulnerability in the Starter Templates plugin was discovered by mikemyers and is caused by inadequate file type validation in the plugin’s WXR file upload process. When users import website templates, the plugin attempts to validate uploaded files as legitimate WordPress eXtended RSS (WXR) files. However, the plugin’s sanitization routine fails to properly reject files with double extensions (such as .php.wxr), allowing malicious code to slip through undetected.

An attacker with Author-level permissions or higher could exploit this flaw to upload executable PHP files disguised as WXR imports. Once uploaded, these files could be executed on the server, allowing the attacker to run arbitrary code. This could result in full site takeover, malware injection, data exfiltration, or persistent backdoors.

The vulnerability was publicly disclosed on December 5, 2024, and the developers at Brainstorm Force acted quickly to release a fix in version 4.4.42 on December 6, 2025. The updated version strengthens file validation and sanitization procedures to prevent dangerous file types from being uploaded.

Advice for Users:

Immediate Action:
Users should update the Starter Templates plugin to version 4.4.42 or later immediately. The latest version includes the necessary fix to prevent arbitrary file uploads and potential remote code execution.

Check for Signs of Vulnerability:
Website owners should inspect their /wp-content/uploads/ and /wp-content/plugins/ directories for suspicious files, especially those ending in .php.wxr or other double extensions. Unexpected files, unauthorized redirects, or strange behaviors could indicate compromise. Reviewing server logs for unusual activity from Author-level accounts can also help identify attempted exploits.

Alternate Plugins:
While the vulnerability has been patched, users may still consider exploring alternative template or page builder plugins, such as Envato Elements or Template Kits for Elementor, which provide similar functionality and have established security track records.

Stay Updated:
Always keep your WordPress core, themes, and plugins up to date. Enable automatic updates if possible or schedule regular maintenance checks to ensure your site stays protected against newly discovered vulnerabilities.

Conclusion:

The quick response from Brainstorm Force to patch this high-severity vulnerability demonstrates their commitment to maintaining plugin security. However, this incident serves as a reminder that all site owners must remain proactive. Keeping your WordPress installation updated, auditing user permissions, and monitoring for unusual activity are key to preventing exploitation.

Users should confirm they are running Starter Templates version 4.4.42 or later to secure their sites against arbitrary file uploads and potential remote code execution.

References:

• WordPress Plugin Repository

• plugins.trac.wordpress.org

• CVE-2025-13065 – National Vulnerability Database

A high-severity vulnerability has been discovered that affects millions of WordPress websites using the popular Starter Templates plugin. With over two million active installs, this plugin helps users quickly build sites using pre-designed templates. However, a flaw in older versions (≤ 4.4.41) allows authenticated attackers to upload arbitrary files that could lead to full site compromise.

The issue arises from improper file type validation during the WXR import process. By exploiting this weakness, an attacker with Author-level permissions could upload a malicious file—such as a disguised PHP script—that the server would accept as a legitimate WXR file. Once executed, this script could grant the attacker full control of the website, enabling them to modify content, steal data, or install persistent backdoors.

For business owners, the consequences of this type of exploit can be severe: website defacement, data breaches, customer trust loss, and SEO penalties. If your site uses Starter Templates, update immediately to version 4.4.42 or higher. After updating, inspect your site’s uploads folder for suspicious files and confirm that only trusted users hold Author or Editor roles.

Although a patch is available, this incident underscores a recurring theme in website management—security depends on regular maintenance. Even reputable plugins can develop flaws over time, making updates an essential part of website ownership.

For small business owners without the time or technical expertise to stay on top of updates, WordPress maintenance services can be invaluable. These services monitor for new vulnerabilities, apply patches automatically, and ensure your site remains secure and stable.

By taking a few proactive steps—updating your plugins, auditing user roles, and relying on professional security support—you can protect your site from vulnerabilities like this one and keep your business running smoothly.

Staying Secure

As a business owner, you don’t have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We’ll update everything to patched versions so you can rest easy knowing your site is locked down.

Focus on your business goals while we focus on your WordPress site’s security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.