Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Subscriber access is required per Patchstack title (PR:L, not PR:N); network reachable with low complexity; impact is destructive deletion only, so A:H with C:N/I:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Arbitrary Content Deletion in Brikk <= 3.0.0 versions.
AnalysisAI
Arbitrary content deletion in the Brikk WordPress theme (versions up to and including 3.0.0) allows low-privileged authenticated users to delete site content due to a missing authorization check. The flaw is tracked under Patchstack and ENISA EUVD-2025-210187 with no public exploit identified at time of analysis, and the CVSS 7.5 score reflects high availability impact through destruction of site data.
Technical ContextAI
Brikk is a commercial WordPress theme published by Utillz (CPE cpe:2.3:a:utillz:brikk). The root cause is CWE-862 (Missing Authorization): one or more theme-exposed actions (likely AJAX handlers or admin-post endpoints used by the theme's front-end builder/dashboard) do not verify the caller's WordPress role or capability before performing content-deletion operations. WordPress's Subscriber role is granted to any registered user and is typically allowed in any site permitting open registration or membership, meaning the missing capability check (such as current_user_can('delete_posts')) lets that role invoke a privileged destructive action.
RemediationAI
Upstream fix availability is not independently confirmed from the supplied references - the Patchstack entry is the only advisory provided and no specific patched release version was listed, so administrators should consult the Patchstack page (https://patchstack.com/database/wordpress/theme/brikk/vulnerability/wordpress-brikk-theme-3-0-0-arbitrary-content-deletion-vulnerability) and the Utillz/ThemeForest changelog for an update beyond 3.0.0. Until a fixed release is verified, compensating controls include disabling open WordPress user registration in Settings → General (trade-off: blocks legitimate self-service signups), restricting the Subscriber role from accessing the theme's AJAX endpoints via a WAF rule or mu-plugin that filters admin-ajax.php and admin-post.php actions originating from the Brikk theme, and tightening database/file backups so that any deleted content can be restored quickly. Membership sites that cannot disable registration should treat this as urgent and consider temporarily switching themes.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210187