Skip to main content

Thim Core CVE-2025-53346

| EUVDEUVD-2025-210032 MEDIUM
Missing Authorization (CWE-862)
2026-06-02 Patchstack GHSA-65p2-jm3w-jw88
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 02, 2026 - 10:22 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in ThimPress Thim Core allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Thim Core: from n/a through 2.3.3.

AnalysisAI

Missing authorization in the ThimPress Thim Core WordPress plugin (all versions through 2.3.3) allows authenticated low-privileged users to perform actions exceeding their intended permission level due to improperly enforced access control checks. The flaw, classified as CWE-862 (Missing Authorization), results in unauthorized integrity-impacting operations without requiring administrative credentials, as confirmed by the CVSS vector (PR:L/I:L). No public exploit code exists and no active exploitation has been confirmed at time of analysis.

Technical ContextAI

Thim Core is a foundational WordPress plugin developed by ThimPress (CPE: cpe:2.3:a:thimpress:thim_core:*:*:*:*:*:*:*:*), commonly bundled with ThimPress themes to provide core functionality such as shortcodes, post types, and widget management. CWE-862 (Missing Authorization) identifies a root cause where the application performs a function without verifying that the requesting user holds the necessary capability or role. In WordPress, this typically manifests as plugin endpoints or AJAX handlers that check only for authentication (is_user_logged_in()) without enforcing role-based capability checks (current_user_can()), enabling privilege escalation within the plugin's operational scope. The CVSS vector AV:N/AC:L confirms the flaw is remotely triggerable with low complexity, and the S:U (Unchanged) scope means exploitation is contained to the plugin's own authorization boundary.

RemediationAI

The primary remediation is to update the Thim Core plugin beyond version 2.3.3 - the exact patched release version is not independently confirmed in the available data, so administrators should check the WordPress plugin repository or the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/thim-core/vulnerability/wordpress-thim-core-plugin-plugin-2-3-3-broken-access-control-vulnerability) for the confirmed fixed version before upgrading. As a compensating control where immediate patching is not possible, restrict authenticated access to the WordPress site to trusted users only - revoke or audit low-privilege accounts (subscriber, contributor roles) that are not operationally required, since PR:L means any authenticated user is a potential threat actor. Additionally, a Web Application Firewall (WAF) with WordPress-specific rulesets (e.g., Patchstack's virtual patching or Wordfence) can block exploitation attempts at the HTTP layer with minimal side effects.

Share

CVE-2025-53346 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy