Skip to main content

Brikk WordPress Theme CVE-2025-69103

| EUVDEUVD-2025-210187 HIGH
Missing Authorization (CWE-862)
2026-06-16 Patchstack
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Subscriber access is required per Patchstack title (PR:L, not PR:N); network reachable with low complexity; impact is destructive deletion only, so A:H with C:N/I:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 00:06 vuln.today

DescriptionCVE.org

Subscriber Arbitrary Content Deletion in Brikk <= 3.0.0 versions.

AnalysisAI

Arbitrary content deletion in the Brikk WordPress theme (versions up to and including 3.0.0) allows low-privileged authenticated users to delete site content due to a missing authorization check. The flaw is tracked under Patchstack and ENISA EUVD-2025-210187 with no public exploit identified at time of analysis, and the CVSS 7.5 score reflects high availability impact through destruction of site data.

Technical ContextAI

Brikk is a commercial WordPress theme published by Utillz (CPE cpe:2.3:a:utillz:brikk). The root cause is CWE-862 (Missing Authorization): one or more theme-exposed actions (likely AJAX handlers or admin-post endpoints used by the theme's front-end builder/dashboard) do not verify the caller's WordPress role or capability before performing content-deletion operations. WordPress's Subscriber role is granted to any registered user and is typically allowed in any site permitting open registration or membership, meaning the missing capability check (such as current_user_can('delete_posts')) lets that role invoke a privileged destructive action.

RemediationAI

Upstream fix availability is not independently confirmed from the supplied references - the Patchstack entry is the only advisory provided and no specific patched release version was listed, so administrators should consult the Patchstack page (https://patchstack.com/database/wordpress/theme/brikk/vulnerability/wordpress-brikk-theme-3-0-0-arbitrary-content-deletion-vulnerability) and the Utillz/ThemeForest changelog for an update beyond 3.0.0. Until a fixed release is verified, compensating controls include disabling open WordPress user registration in Settings → General (trade-off: blocks legitimate self-service signups), restricting the Subscriber role from accessing the theme's AJAX endpoints via a WAF rule or mu-plugin that filters admin-ajax.php and admin-post.php actions originating from the Brikk theme, and tightening database/file backups so that any deleted content can be restored quickly. Membership sites that cannot disable registration should treat this as urgent and consider temporarily switching themes.

Share

CVE-2025-69103 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy