Skip to main content

Miraculous WordPress Theme CVE-2025-58629

HIGH
Missing Authorization (CWE-862)
2025-11-06 audit@patchstack.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Updated
Apr 24, 2026 - 00:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Apr 24, 2026 - 00:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
CVE Published
Nov 06, 2025 - 16:15 nvd
HIGH 7.5

DescriptionCVE.org

Missing Authorization vulnerability in kamleshyadav Miraculous miraculous allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous: from n/a through < 2.0.9.

AnalysisAI

Remote unauthenticated attackers can cause high-impact availability disruption in the Miraculous WordPress theme through arbitrary content deletion. The vulnerability allows exploitation of misconfigured access control in versions before 2.0.9, requiring no authentication or user interaction. EPSS score of 0.06% (18th percentile) indicates very low observed exploitation probability, with no public exploit code or CISA KEV listing at time of analysis. Despite CVSS 7.5 severity, the purely availability-focused impact (C:N/I:N/A:H) suggests this is a denial-of-service vector rather than a data breach risk.

Technical ContextAI

This is a missing authorization vulnerability (CWE-862) in the Miraculous WordPress theme by developer kamleshyadav. CWE-862 occurs when an application fails to perform authorization checks before granting access to protected resources or functionality. In WordPress themes, this typically manifests when AJAX handlers, REST API endpoints, or admin functions lack proper capability checks using WordPress functions like current_user_can() or check_ajax_referer(). The Patchstack reference specifically identifies this as an 'Arbitrary Content Deletion Vulnerability', indicating the theme exposes content deletion functionality without validating the requester's permissions. WordPress themes should enforce role-based access controls for administrative operations, but this theme version allows unauthenticated access to deletion operations that should require editor or administrator privileges.

Affected ProductsAI

The vulnerability affects the Miraculous WordPress theme developed by kamleshyadav, impacting all versions prior to 2.0.9. Organizations can verify their installed version through the WordPress admin dashboard under Appearance > Themes. The fix is documented in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Theme/miraculous/vulnerability/wordpress-miraculous-theme-2-0-9-arbitrary-content-deletion-vulnerability, which identifies version 2.0.9 as the patched release. No specific CPE identifiers are provided in the available data, and no vendor advisory from the theme developer's official channels has been independently confirmed.

RemediationAI

Upgrade to Miraculous theme version 2.0.9 or later through the WordPress admin dashboard (Appearance > Themes > Update) or by downloading the patched version from the theme's official distribution channel and uploading via FTP. If immediate upgrade is not feasible, implement compensating controls: restrict WordPress REST API access to authenticated users only by adding authentication requirements in your web server configuration or using a security plugin to enforce authorization on all AJAX and API endpoints; enable detailed WordPress activity logging to detect unauthorized content deletion attempts; implement regular automated backups with point-in-time recovery capabilities to mitigate availability impact from successful exploitation (note that backups address consequence, not vulnerability); consider temporarily deactivating the theme and switching to a default WordPress theme if arbitrary content deletion poses unacceptable business risk and patch deployment requires extended approval cycles. Full vendor advisory details are available at https://patchstack.com/database/Wordpress/Theme/miraculous/vulnerability/wordpress-miraculous-theme-2-0-9-arbitrary-content-deletion-vulnerability. Note that compensating controls reduce impact but do not eliminate the vulnerability - upgrade remains the only complete remediation.

Share

CVE-2025-58629 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy