Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable WordPress endpoint, low complexity, requires a subscriber account (PR:L), no user interaction, and full admin takeover yields C:H/I:H/A:H.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Privilege Escalation in Genemy <= 1.6.6 versions.
AnalysisAI
Privilege escalation in the Genemy WordPress theme versions 1.6.6 and earlier allows authenticated subscriber-level users to elevate their privileges to higher roles, gaining administrative control over affected WordPress sites. The flaw, reported by Patchstack and tracked under CWE-266 (Incorrect Privilege Assignment), affects all installations using the jthemes Genemy theme up to and including 1.6.6, and no public exploit identified at time of analysis. Given the low attack complexity and minimal authentication requirement (any subscriber account), this represents a high-impact issue for any WordPress site running the affected theme with open user registration.
Technical ContextAI
Genemy is a commercial WordPress theme distributed by jthemes (CPE: cpe:2.3:a:jthemes:genemy), commonly used for portfolio and creative websites. The underlying weakness is CWE-266 (Incorrect Privilege Assignment), which typically manifests in WordPress themes when AJAX endpoints, profile-update handlers, or role-management functions fail to validate the requesting user's existing capabilities before allowing role changes - for example, missing current_user_can() checks or accepting role parameters directly from client-supplied data. WordPress themes that ship custom user-management features are a recurring source of this class of bug, since theme developers often bypass core WordPress role/capability APIs in favor of custom logic.
RemediationAI
No vendor-released patch identified at time of analysis based on the provided references; administrators should monitor the jthemes vendor page and the Patchstack advisory at https://patchstack.com/database/wordpress/theme/genemy/vulnerability/wordpress-genemy-theme-1-6-6-privilege-escalation-vulnerability for a fixed release above 1.6.6 and upgrade as soon as it is published. As compensating controls, disable open user registration in WordPress (Settings → General → uncheck 'Anyone can register') to remove the subscriber-account prerequisite, audit existing subscriber accounts for unexpected role changes, and consider deploying Patchstack's virtual patching or a WAF rule to block requests to the theme's vulnerable endpoint - note that disabling registration breaks any membership or community functionality that depends on it, and switching themes will lose Genemy-specific styling and templates.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210230