Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in ThimPress Thim Core allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Thim Core: from n/a through 2.3.3.
AnalysisAI
Missing authorization in the ThimPress Thim Core WordPress plugin (all versions through 2.3.3) allows authenticated low-privileged users to perform actions exceeding their intended permission level due to improperly enforced access control checks. The flaw, classified as CWE-862 (Missing Authorization), results in unauthorized integrity-impacting operations without requiring administrative credentials, as confirmed by the CVSS vector (PR:L/I:L). No public exploit code exists and no active exploitation has been confirmed at time of analysis.
Technical ContextAI
Thim Core is a foundational WordPress plugin developed by ThimPress (CPE: cpe:2.3:a:thimpress:thim_core:*:*:*:*:*:*:*:*), commonly bundled with ThimPress themes to provide core functionality such as shortcodes, post types, and widget management. CWE-862 (Missing Authorization) identifies a root cause where the application performs a function without verifying that the requesting user holds the necessary capability or role. In WordPress, this typically manifests as plugin endpoints or AJAX handlers that check only for authentication (is_user_logged_in()) without enforcing role-based capability checks (current_user_can()), enabling privilege escalation within the plugin's operational scope. The CVSS vector AV:N/AC:L confirms the flaw is remotely triggerable with low complexity, and the S:U (Unchanged) scope means exploitation is contained to the plugin's own authorization boundary.
RemediationAI
The primary remediation is to update the Thim Core plugin beyond version 2.3.3 - the exact patched release version is not independently confirmed in the available data, so administrators should check the WordPress plugin repository or the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/thim-core/vulnerability/wordpress-thim-core-plugin-plugin-2-3-3-broken-access-control-vulnerability) for the confirmed fixed version before upgrading. As a compensating control where immediate patching is not possible, restrict authenticated access to the WordPress site to trusted users only - revoke or audit low-privilege accounts (subscriber, contributor roles) that are not operationally required, since PR:L means any authenticated user is a potential threat actor. Additionally, a Web Application Firewall (WAF) with WordPress-specific rulesets (e.g., Patchstack's virtual patching or Wordfence) can block exploitation attempts at the HTTP layer with minimal side effects.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210032
GHSA-65p2-jm3w-jw88