CVE-2025-62751
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in extendthemes Vireo vireo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Vireo: from n/a through <= 1.0.24.
AnalysisAI
Missing authorization in the Vireo WordPress theme (versions up to 1.0.24) enables authenticated attackers with low privileges to bypass access controls and execute high-impact operations including data exfiltration, integrity compromise, and availability disruption. The vulnerability affects a specific WordPress theme product from extendthemes with CVSS 8.8 severity. While EPSS probability is low (0.04%, 13th percentile), the low attack complexity and network attack vector warrant attention for sites using this theme. No public exploit identified at time of analysis, and not listed in CISA KEV.
Technical ContextAI
This vulnerability stems from CWE-862 (Missing Authorization), a failure to properly validate user permissions before granting access to restricted functionality or resources. The Vireo WordPress theme lacks proper authorization checks on sensitive operations, allowing users who have successfully authenticated to the WordPress instance-even with minimal privileges like subscriber or contributor roles-to access functionality that should be restricted to administrators or higher-privileged accounts. The CPE identifier (cpe:2.3:a:extendthemes:vireo:*:*:*:*:*:wordpress:*:*) confirms this affects the extendthemes Vireo theme running on WordPress platforms. Missing authorization vulnerabilities in WordPress themes commonly arise when theme developers fail to implement capability checks (such as current_user_can() functions) before executing privileged actions, or when access control lists are improperly configured during theme installation and initialization.
RemediationAI
Organizations using the Vireo WordPress theme should immediately upgrade to a patched version newer than 1.0.24 if available from extendthemes. Consult the official Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/vireo/vulnerability/wordpress-vireo-theme-1-0-24-broken-access-control-vulnerability for specific patch availability and version recommendations from the vendor. As an interim mitigation measure while awaiting patches, organizations should audit user accounts with access to WordPress instances running Vireo theme, remove unnecessary low-privileged accounts, implement strict user role assignments following principle of least privilege, and monitor WordPress access logs for suspicious activity patterns from authenticated users attempting to access administrative functionality. Consider implementing additional WordPress security plugins that provide enhanced authorization enforcement and activity monitoring at the application layer. If the theme is not actively required for site functionality, temporarily switching to an alternative maintained WordPress theme eliminates the attack surface entirely. For production environments with sensitive data, consider isolating WordPress instances running vulnerable Vireo versions behind additional authentication layers or restricting network access until patches can be applied.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today