Skip to main content

Constructor WordPress Theme EUVDEUVD-2025-210030

| CVE-2025-53302 MEDIUM
Missing Authorization (CWE-862)
2026-06-02 Patchstack GHSA-5cfp-rwx6-gqmw
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 02, 2026 - 10:22 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Anton Shevchuk Constructor allows Accessing Functionality Not Properly Constrained by ACLs.

This issue affects Constructor: from n/a through 1.6.5.

AnalysisAI

Unauthenticated broken access control in the Constructor WordPress theme (versions through 1.6.5) exposes restricted functionality to any remote visitor without authentication. The missing authorization check (CWE-862) allows network-accessible exploitation with no user interaction required, resulting in unauthorized read access to data or functionality that should be ACL-protected. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS vector confirms trivially low exploitation complexity.

Technical ContextAI

The Constructor theme for WordPress, developed by Anton Shevchuk, fails to properly enforce access controls on one or more of its functional endpoints or AJAX handlers (CWE-862: Missing Authorization). WordPress plugins and themes commonly implement custom REST API routes or admin-ajax.php handlers that are expected to validate user capabilities via functions such as current_user_can() before serving sensitive data or performing actions. When these checks are absent or bypassable, any unauthenticated HTTP client can invoke protected functionality. The affected CPE is cpe:2.3:a:anton_shevchuk:constructor:*:*:*:*:*:*:*:*, covering all releases up to and including version 1.6.5. The tag 'Authentication Bypass' reinforces that the access constraint failure is reachable without credentials.

RemediationAI

The primary remediation is to update the Constructor theme to the latest available version beyond 1.6.5, which should include the authorization fix; however, no explicit patched release version was confirmed in the available intelligence - verify the current version on the WordPress theme repository or the vendor's GitHub before upgrading. The Patchstack advisory at https://patchstack.com/database/wordpress/theme/constructor/vulnerability/wordpress-constructor-theme-1-6-5-broken-access-control-vulnerability should be consulted for the confirmed fixed version once published. If no patch is yet available or the theme is not actively maintained, the most effective compensating control is to deactivate and remove the Constructor theme and replace it with an alternative; deactivating eliminates the attack surface entirely with no functional side effects for non-production sites. As a secondary control on active sites pending a patch, consider using a web application firewall rule to restrict access to the theme's specific AJAX or REST endpoints identified by Patchstack to authenticated sessions only, though this requires knowledge of the exact vulnerable endpoint which is not disclosed in the current advisory summary.

Share

EUVD-2025-210030 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy