Skip to main content

CVE-2025-53986

MEDIUM
Missing Authorization (CWE-862)
2025-07-16 audit@patchstack.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:42 NVD
5.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in themeisle Hestia hestia allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Hestia: from n/a through <= 3.2.10.

AnalysisAI

Missing authorization controls in themeisle Hestia WordPress theme through version 3.2.10 allow unauthenticated attackers to access functionality that should be restricted by access control lists, enabling potential unauthorized actions within affected WordPress installations. The vulnerability has a low exploitation probability (EPSS 0.06%) and no confirmed active exploitation or public exploit code at time of analysis.

Technical ContextAI

The vulnerability resides in the themeisle Hestia WordPress theme and is classified under CWE-862 (Missing Authorization), indicating that certain functionality lacks proper access control validation before execution. WordPress themes interact with the WordPress REST API, admin actions, and front-end handlers; this vulnerability suggests that one or more of these entry points fails to verify user capabilities or roles before granting access to theme-specific operations. The absence of ACL (Access Control List) enforcement means that authorization checks-typically implemented via WordPress capability checks (is_user_logged_in, current_user_can())-are either missing or bypassable in specific code paths.

Affected ProductsAI

themeisle Hestia WordPress theme versions from an unspecified baseline through 3.2.10 are affected. The theme is distributed via the WordPress.org theme repository. CPE designation and exact affected version ranges are not independently confirmed from the provided sources; the vendor advisory via Patchstack (https://patchstack.com/database/Wordpress/Theme/hestia/vulnerability/wordpress-hestia-theme-3-2-10-broken-access-control-vulnerability?_s_id=cve) provides the authoritative version range and remediation guidance.

RemediationAI

Update themeisle Hestia to a patched version released after 3.2.10. The exact patched version number is not provided in the available data; consult the official themeisle Hestia GitHub repository (https://github.com/Codeinwp/hestia) or the WordPress theme directory for the latest release. As an interim measure if immediate patching is not feasible, restrict theme functionality by disabling or limiting access to affected features if theme options permit, and monitor for unauthorized access logs in the WordPress admin area. The Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/hestia/vulnerability/wordpress-hestia-theme-3-2-10-broken-access-control-vulnerability?_s_id=cve) should be monitored for a patched version announcement.

Share

CVE-2025-53986 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy