CVE-2025-53986

2025-07-16 [email protected]
WordPress PHP Authentication Bypass

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Missing Authorization vulnerability in themeisle Hestia hestia allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Hestia: from n/a through <= 3.2.10.

AnalysisAI

Missing authorization controls in themeisle Hestia WordPress theme through version 3.2.10 allow unauthenticated attackers to access functionality that should be restricted by access control lists, enabling potential unauthorized actions within affected WordPress installations. The vulnerability has a low exploitation probability (EPSS 0.06%) and no confirmed active exploitation or public exploit code at time of analysis.

Technical ContextAI

The vulnerability resides in the themeisle Hestia WordPress theme and is classified under CWE-862 (Missing Authorization), indicating that certain functionality lacks proper access control validation before execution. WordPress themes interact with the WordPress REST API, admin actions, and front-end handlers; this vulnerability suggests that one or more of these entry points fails to verify user capabilities or roles before granting access to theme-specific operations. The absence of ACL (Access Control List) enforcement means that authorization checks-typically implemented via WordPress capability checks (is_user_logged_in, current_user_can())-are either missing or bypassable in specific code paths.

Affected ProductsAI

themeisle Hestia WordPress theme versions from an unspecified baseline through 3.2.10 are affected. The theme is distributed via the WordPress.org theme repository. CPE designation and exact affected version ranges are not independently confirmed from the provided sources; the vendor advisory via Patchstack (https://patchstack.com/database/Wordpress/Theme/hestia/vulnerability/wordpress-hestia-theme-3-2-10-broken-access-control-vulnerability?_s_id=cve) provides the authoritative version range and remediation guidance.

RemediationAI

Update themeisle Hestia to a patched version released after 3.2.10. The exact patched version number is not provided in the available data; consult the official themeisle Hestia GitHub repository (https://github.com/Codeinwp/hestia) or the WordPress theme directory for the latest release. As an interim measure if immediate patching is not feasible, restrict theme functionality by disabling or limiting access to affected features if theme options permit, and monitor for unauthorized access logs in the WordPress admin area. The Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/hestia/vulnerability/wordpress-hestia-theme-3-2-10-broken-access-control-vulnerability?_s_id=cve) should be monitored for a patched version announcement.

Share

CVE-2025-53986 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy