Miraculous WordPress Theme CVE-2025-58629
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
Missing Authorization vulnerability in kamleshyadav Miraculous miraculous allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous: from n/a through < 2.0.9.
AnalysisAI
Remote unauthenticated attackers can cause high-impact availability disruption in the Miraculous WordPress theme through arbitrary content deletion. The vulnerability allows exploitation of misconfigured access control in versions before 2.0.9, requiring no authentication or user interaction. EPSS score of 0.06% (18th percentile) indicates very low observed exploitation probability, with no public exploit code or CISA KEV listing at time of analysis. Despite CVSS 7.5 severity, the purely availability-focused impact (C:N/I:N/A:H) suggests this is a denial-of-service vector rather than a data breach risk.
Technical ContextAI
This is a missing authorization vulnerability (CWE-862) in the Miraculous WordPress theme by developer kamleshyadav. CWE-862 occurs when an application fails to perform authorization checks before granting access to protected resources or functionality. In WordPress themes, this typically manifests when AJAX handlers, REST API endpoints, or admin functions lack proper capability checks using WordPress functions like current_user_can() or check_ajax_referer(). The Patchstack reference specifically identifies this as an 'Arbitrary Content Deletion Vulnerability', indicating the theme exposes content deletion functionality without validating the requester's permissions. WordPress themes should enforce role-based access controls for administrative operations, but this theme version allows unauthenticated access to deletion operations that should require editor or administrator privileges.
Affected ProductsAI
The vulnerability affects the Miraculous WordPress theme developed by kamleshyadav, impacting all versions prior to 2.0.9. Organizations can verify their installed version through the WordPress admin dashboard under Appearance > Themes. The fix is documented in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Theme/miraculous/vulnerability/wordpress-miraculous-theme-2-0-9-arbitrary-content-deletion-vulnerability, which identifies version 2.0.9 as the patched release. No specific CPE identifiers are provided in the available data, and no vendor advisory from the theme developer's official channels has been independently confirmed.
RemediationAI
Upgrade to Miraculous theme version 2.0.9 or later through the WordPress admin dashboard (Appearance > Themes > Update) or by downloading the patched version from the theme's official distribution channel and uploading via FTP. If immediate upgrade is not feasible, implement compensating controls: restrict WordPress REST API access to authenticated users only by adding authentication requirements in your web server configuration or using a security plugin to enforce authorization on all AJAX and API endpoints; enable detailed WordPress activity logging to detect unauthorized content deletion attempts; implement regular automated backups with point-in-time recovery capabilities to mitigate availability impact from successful exploitation (note that backups address consequence, not vulnerability); consider temporarily deactivating the theme and switching to a default WordPress theme if arbitrary content deletion poses unacceptable business risk and patch deployment requires extended approval cycles. Full vendor advisory details are available at https://patchstack.com/database/Wordpress/Theme/miraculous/vulnerability/wordpress-miraculous-theme-2-0-9-arbitrary-content-deletion-vulnerability. Note that compensating controls reduce impact but do not eliminate the vulnerability - upgrade remains the only complete remediation.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today