Plugin Name: Starter Templates – AI-Powered Templates for Elementor & Gutenberg

---

Key Information:

Software Type: Plugin
Software Slug: astra-sites
Software Status: Active
Software Author: brainstormforce
Software Downloads: 86,521,101
Active Installs: 2,000,000
Last Updated: December 6, 2025
Patched Versions: 4.4.42
Affected Versions: ≤ 4.4.41

---

Vulnerability Details:

Name: Starter Templates ≤ 4.4.41 – Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass
Title: Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass
Type: Unrestricted Upload of File with Dangerous Type
CVE: CVE-2025-13065
CVSS Score: 8.8 (High)
Publicly Published: December 5, 2024
Researcher: mikemyers
Description:
The Starter Templates plugin for WordPress is vulnerable to arbitrary file upload due to insufficient file type validation detecting WXR files in all versions up to, and including, 4.4.41. The vulnerability allows double-extension files (e.g., .php.wxr) to bypass sanitization and be accepted as valid WXR files. This makes it possible for authenticated attackers with Author-level access and above to upload arbitrary files to the affected site’s server, potentially leading to remote code execution (RCE).

---

Summary:

The Starter Templates plugin for WordPress has a vulnerability in versions up to and including 4.4.41 that allows authenticated users with Author-level access and above to upload arbitrary files to the server. This vulnerability could lead to remote code execution and complete site compromise. The issue has been patched in version 4.4.42.

---

Detailed Overview:

This high-severity vulnerability in the Starter Templates plugin was discovered by mikemyers and is caused by inadequate file type validation in the plugin’s WXR file upload process. When users import website templates, the plugin attempts to validate uploaded files as legitimate WordPress eXtended RSS (WXR) files. However, the plugin’s sanitization routine fails to properly reject files with double extensions (such as .php.wxr), allowing malicious code to slip through undetected. An attacker with Author-level permissions or higher could exploit this flaw to upload executable PHP files disguised as WXR imports. Once uploaded, these files could be executed on the server, allowing the attacker to run arbitrary code. This could result in full site takeover, malware injection, data exfiltration, or persistent backdoors. The vulnerability was publicly disclosed on December 5, 2024, and the developers at Brainstorm Force acted quickly to release a fix in version 4.4.42 on December 6, 2025. The updated version strengthens file validation and sanitization procedures to prevent dangerous file types from being uploaded.

---

Advice for Users:

Immediate Action:
Users should update the Starter Templates plugin to version 4.4.42 or later immediately. The latest version includes the necessary fix to prevent arbitrary file uploads and potential remote code execution. Check for Signs of Vulnerability:
Website owners should inspect their /wp-content/uploads/ and /wp-content/plugins/ directories for suspicious files, especially those ending in .php.wxr or other double extensions. Unexpected files, unauthorized redirects, or strange behaviors could indicate compromise. Reviewing server logs for unusual activity from Author-level accounts can also help identify attempted exploits. Alternate Plugins:
While the vulnerability has been patched, users may still consider exploring alternative template or page builder plugins, such as Envato Elements or Template Kits for Elementor, which provide similar functionality and have established security track records. Stay Updated:
Always keep your WordPress core, themes, and plugins up to date. Enable automatic updates if possible or schedule regular maintenance checks to ensure your site stays protected against newly discovered vulnerabilities.

---

Conclusion:

The quick response from Brainstorm Force to patch this high-severity vulnerability demonstrates their commitment to maintaining plugin security. However, this incident serves as a reminder that all site owners must remain proactive. Keeping your WordPress installation updated, auditing user permissions, and monitoring for unusual activity are key to preventing exploitation. Users should confirm they are running Starter Templates version 4.4.42 or later to secure their sites against arbitrary file uploads and potential remote code execution.

---

References:

• WordPress Plugin Repository
• plugins.trac.wordpress.org
• CVE-2025-13065 – National Vulnerability Database

---

A high-severity vulnerability has been discovered that affects millions of WordPress websites using the popular Starter Templates plugin. With over two million active installs, this plugin helps users quickly build sites using pre-designed templates. However, a flaw in older versions (≤ 4.4.41) allows authenticated attackers to upload arbitrary files that could lead to full site compromise. The issue arises from improper file type validation during the WXR import process. By exploiting this weakness, an attacker with Author-level permissions could upload a malicious file-such as a disguised PHP script-that the server would accept as a legitimate WXR file. Once executed, this script could grant the attacker full control of the website, enabling them to modify content, steal data, or install persistent backdoors. For business owners, the consequences of this type of exploit can be severe: website defacement, data breaches, customer trust loss, and SEO penalties. If your site uses Starter Templates, update immediately to version 4.4.42 or higher. After updating, inspect your site’s uploads folder for suspicious files and confirm that only trusted users hold Author or Editor roles. Although a patch is available, this incident underscores a recurring theme in website management-security depends on regular maintenance. Even reputable plugins can develop flaws over time, making updates an essential part of website ownership. For small business owners without the time or technical expertise to stay on top of updates, WordPress maintenance services can be invaluable. These services monitor for new vulnerabilities, apply patches automatically, and ensure your site remains secure and stable. By taking a few proactive steps-updating your plugins, auditing user roles, and relying on professional security support-you can protect your site from vulnerabilities like this one and keep your business running smoothly.

Staying Secure

As a business owner, you don’t have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We’ll update everything to patched versions so you can rest easy knowing your site is locked down.

Focus on your business goals while we focus on your WordPress site’s security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.

Starter Templates Vulnerability – Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass – CVE-2025-13065 | WordPress Plugin Vulnerability Report FAQs

What is the Starter Templates vulnerability and why is it serious?

What is the Starter Templates vulnerability and why is it serious?

The Starter Templates vulnerability (CVE-2025-13065) allows users with Author-level access or higher to upload arbitrary files through the plugin’s WXR import feature. Due to insufficient file validation, attackers can upload disguised PHP files that bypass security checks and execute malicious code on the server. This flaw is serious because it can lead to remote code execution (RCE), enabling attackers to gain full control of a website. Once exploited, an attacker could install backdoors, steal data, or alter site content without detection.

Who discovered this vulnerability and when was it disclosed?

Who discovered this vulnerability and when was it disclosed?

The vulnerability was discovered by security researcher mikemyers and publicly disclosed on December 5, 2024. Following responsible disclosure practices, the researcher shared details with the plugin developer before the information became public. In response, Brainstorm Force, the developer of Starter Templates, quickly released a patched version (4.4.42) on December 6, 2025, to fix the flaw and protect users. Their fast action helped minimize the risk of exploitation.

Which versions of Starter Templates are affected by this vulnerability?

Which versions of Starter Templates are affected by this vulnerability?

All versions of the Starter Templates plugin up to and including 4.4.41 are affected. These versions contain the insecure file validation flaw that allows double-extension files (like .php.wxr) to be uploaded. To stay protected, you should immediately update to version 4.4.42 or later. Older versions remain vulnerable even if no signs of compromise are visible on your site.

How could this vulnerability be exploited by attackers?

How could this vulnerability be exploited by attackers?

An attacker with Author-level access could upload a malicious file disguised as a WXR import. Once uploaded, this file could be executed on the server, giving the attacker full control over the website. In real-world terms, that means they could deface your site, steal customer information, or install persistent malware. Even though the attack requires authentication, it’s especially dangerous for sites that grant multiple users Author-level permissions.

What are the potential risks and impacts if my site is affected?

What are the potential risks and impacts if my site is affected?

If exploited, this vulnerability could result in remote code execution, allowing the attacker to manipulate your website and underlying server. They could steal data, add malicious scripts, or redirect visitors to harmful sites. For small businesses, this could mean downtime, reputational damage, and loss of customer trust. Attackers often use such compromised sites to spread spam or phishing campaigns, amplifying the harm beyond your own domain.  

How can I check if my site has been compromised?

How can I check if my site has been compromised?

Inspect your WordPress installation directories, particularly /wp-content/uploads/ and /wp-content/plugins/, for unfamiliar files with suspicious extensions like .php.wxr or .php.txt. These files may indicate an exploit attempt. Additionally, monitor your server access logs for unusual upload or execution requests. If you notice unexplained activity or unauthorized changes, consider restoring your site from a clean backup and resetting all administrative passwords.

What should I do to fix or prevent this vulnerability?

What should I do to fix or prevent this vulnerability?

The most important step is to update to Starter Templates version 4.4.42 or later. This update includes a fix that improves file validation and prevents dangerous uploads. You can update directly through your WordPress dashboard or manually via FTP if needed. After updating, check for suspicious files and review your list of users with Author-level access. Reducing unnecessary permissions and enforcing two-factor authentication adds an extra layer of protection.

Are there alternative plugins I can use instead of Starter Templates?

Are there alternative plugins I can use instead of Starter Templates?

Yes, if you prefer to explore other template management tools, popular options include Envato Elements, Template Kits for Elementor, and Kadence Starter Templates. These alternatives provide similar functionality and are regularly maintained. However, since Brainstorm Force promptly patched the issue, continuing to use the updated version of Starter Templates is considered safe. Switching plugins is optional, but staying updated is essential.

Has the Starter Templates plugin had previous vulnerabilities?

Has the Starter Templates plugin had previous vulnerabilities?

CVE-2025-13065 is the most recent high-severity vulnerability reported for Starter Templates. While minor issues may have occurred in the past-as with most plugins-this particular exploit marks one of the more serious cases due to its potential for remote code execution. The quick release of a patch by Brainstorm Force demonstrates responsible development and strong security response practices. Regular monitoring and timely updates remain the best defense against future risks.

How can small business owners protect their WordPress sites without constant monitoring?

How can small business owners protect their WordPress sites without constant monitoring?

Small business owners often don’t have the time or resources to track plugin updates and security advisories. The best approach is to enable automatic updates for all plugins and consider subscribing to a managed WordPress maintenance service. These services handle updates, security scans, and backups on your behalf, ensuring your website stays secure with minimal effort. By delegating these tasks, you can focus on running your business while knowing your site remains protected from emerging threats.