CVE-2025-62961
Lifecycle Timeline
2Description
Missing Authorization vulnerability in sparklewpthemes Sparkle FSE sparkle-fse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sparkle FSE: from n/a through <= 1.0.9.
Analysis
Missing authorization controls in Sparkle FSE WordPress theme versions 1.0.9 and earlier allow unauthenticated attackers to bypass access control restrictions and perform unauthorized actions through exploitable endpoint misconfigurations. This authentication bypass vulnerability, reported by Patchstack security researchers, affects all instances of the Sparkle FSE theme up to version 1.0.9 with low exploit probability (EPSS 0.05%) but represents a direct authorization failure (CWE-862) that could enable unauthorized data access or modification depending on endpoint exposure.
Technical Context
The vulnerability stems from broken access control (CWE-862: Missing Authorization) in the Sparkle FSE WordPress theme, a full-site editing (FSE) template system for WordPress. The theme fails to properly validate user permissions before granting access to protected functionality, creating a class of misconfigurations where security levels are either not enforced or incorrectly configured. This is distinct from authentication bypass in that users may not need to prove identity at all; rather, authorization checks that should restrict actions to specific user roles or capabilities are absent or improperly implemented. WordPress themes implementing custom endpoints or REST API handlers must validate both user authentication and authorization permissions before exposing sensitive operations.
Affected Products
Sparkle FSE WordPress theme (sparkle-fse), versions 1.0.9 and earlier, is affected. CPE data is not independently available from the provided sources, but the Patchstack advisory identifies this as a theme vulnerability affecting WordPress installations using Sparkle FSE. Users can verify their installed version in the WordPress theme dashboard or through WordPress.org theme directory.
Remediation
Update Sparkle FSE theme to a patched version released after 1.0.9. Visit the Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Theme/sparkle-fse/vulnerability/wordpress-sparkle-fse-theme-1-0-9-broken-access-control-vulnerability) or the official WordPress theme repository for Sparkle FSE to download the latest version with authorization controls properly implemented. If automatic updates are not enabled in WordPress, manually update the theme through Appearance → Themes → Update in the WordPress admin dashboard. As an interim mitigation, site administrators may restrict access to theme customization and REST API endpoints through Web Application Firewall (WAF) rules or authentication plugins until the update is available, though patching is the definitive remediation.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today