Skip to main content

Thim Core EUVDEUVD-2025-210031

| CVE-2025-53345 HIGH
Missing Authorization (CWE-862)
2026-06-02 Patchstack GHSA-7qg8-x7c8-5jjr
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 02, 2026 - 12:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 02, 2026 - 12:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 02, 2026 - 12:22 vuln.today
cvss_changed
Severity Changed
Jun 02, 2026 - 12:22 NVD
MEDIUM HIGH
CVSS changed
Jun 02, 2026 - 12:22 NVD
6.5 (MEDIUM) 8.8 (HIGH)
Analysis Generated
Jun 02, 2026 - 10:22 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in ThimPress Thim Core.

This issue affects Thim Core: from n/a through 2.3.3.

AnalysisAI

Privilege-bound arbitrary code execution in ThimPress Thim Core (WordPress plugin) versions through 2.3.3 allows authenticated low-privilege users to bypass authorization checks and execute arbitrary code on affected sites, per Patchstack's advisory tagging this as an authentication bypass leading to RCE. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability with low attack complexity over the network. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Technical ContextAI

Thim Core is a foundational WordPress plugin from ThimPress that underpins several commercial WordPress themes (frequently bundled with LearnPress-based educational themes) and provides shared functionality such as theme options, demo importers, and customizer hooks. The root cause is CWE-862 (Missing Authorization), meaning a sensitive code path - likely an AJAX action, REST endpoint, or admin-post handler - fails to verify that the calling user has the appropriate capability (e.g. manage_options) before executing privileged logic. The Patchstack title characterizes the resulting primitive as 'arbitrary code execution,' which in WordPress plugins typically arises from unprotected file upload, file include, settings import, or template-rendering handlers. The CPE cpe:2.3:a:thimpress:thim_core:*:*:*:*:*:*:*:* scopes the impact to all Thim Core installations through 2.3.3.

RemediationAI

No vendor-released patch version is independently confirmed in the supplied intelligence - the only reference is the Patchstack advisory which identifies 2.3.3 as the last affected build, so administrators should upgrade Thim Core to the next release published by ThimPress after 2.3.3 (verify on the plugin update channel or ThimPress's theme dashboard) and confirm patched status against the Patchstack entry at https://patchstack.com/database/wordpress/plugin/thim-core/vulnerability/wordpress-thim-core-plugin-2-3-3-arbitrary-code-execution-vulnerability. Until the fixed version is installed, restrict the vulnerable surface by disabling open user registration in WordPress (Settings → General → 'Anyone can register' unchecked), reviewing existing Subscriber/Contributor accounts for unfamiliar users, and placing a WAF rule (Patchstack, Wordfence, or equivalent) in front of /wp-admin/admin-ajax.php and /wp-json/ routes that match Thim Core handlers - note the side effect that aggressive blocking of admin-ajax can break legitimate frontend AJAX features in ThimPress themes. As a last-resort compensating control, deactivate the Thim Core plugin, which will disable theme options and demo-import functionality on dependent ThimPress themes and may visually degrade the site.

Share

EUVD-2025-210031 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy