CVE-2025-63067

MEDIUM
2025-12-09 [email protected]
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 4.3

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in p-themes Porto Theme - Functionality porto-functionality allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Porto Theme - Functionality: from n/a through < 3.7.3.

Analysis

Porto Theme - Functionality plugin for WordPress (versions before 3.7.3) allows authenticated users to access sensitive information through broken access control, enabling privilege escalation or information disclosure without proper authorization checks. While the vulnerability requires valid WordPress credentials and has low CVSS severity (4.3), the confirmed patch availability and authentication requirement reduce immediate risk. No public exploit code or active exploitation has been identified at the time of analysis.

Technical Context

This is a missing authorization vulnerability (CWE-862: Improper Access Control) in the Porto Theme - Functionality WordPress plugin. The vulnerability stems from inadequate access control checks on protected functionality, allowing authenticated users with lower privilege levels to perform actions or access data normally restricted to higher-privilege roles. WordPress plugins implement role-based access control through the capabilities system; this plugin fails to properly verify the current user's capabilities before executing sensitive operations. The underlying issue is a logic flaw in authorization enforcement rather than a cryptographic or authentication weakness-valid sessions can bypass intended permission boundaries.

Affected Products

Porto Theme - Functionality plugin for WordPress is affected in all versions from the earliest tracked version through version 3.7.2, inclusive. The plugin is identified by CPE reference to the Patchstack WordPress plugin database entry. Vendor advisory and patch information is available at https://patchstack.com/database/Wordpress/Plugin/porto-functionality/vulnerability/wordpress-porto-theme-functionality-plugin-3-6-2-broken-access-control-vulnerability?_s_id=cve.

Remediation

Vendor-released patch: Update Porto Theme - Functionality plugin to version 3.7.3 or later. Site administrators should navigate to the WordPress Plugins dashboard, locate Porto Theme - Functionality, and apply the available update immediately. No workarounds are documented; patching is the primary remediation path. For sites unable to update immediately, restrict plugin access to trusted administrators only and monitor audit logs for unauthorized access attempts. Detailed patch and advisory information is available at the Patchstack vulnerability database URL provided in the references.

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Share

CVE-2025-63067 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy