Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
PR:L reflects mandatory subscriber authentication; I:H captures unauthorized write capability; C:N and A:N because no data exfiltration or service disruption is indicated.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Broken Access Control in Genemy <= 1.6.6 versions.
AnalysisAI
Broken access control in the Genemy WordPress theme (versions ≤1.6.6) permits subscriber-level authenticated users to perform high-integrity write operations that are supposed to be restricted to higher-privileged roles such as editor or administrator. The flaw originates from missing authorization checks (CWE-862) on theme-registered functionality, meaning the theme does not verify whether the requesting user holds sufficient WordPress capabilities before executing privileged actions. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the CVSS integrity impact rating of High and low attack complexity signal meaningful unauthorized content or configuration modification potential for any attacker able to obtain a subscriber account.
Technical ContextAI
Genemy is a commercial WordPress theme developed by jthemes (CPE: cpe:2.3:a:jthemes:genemy:*:*:*:*:*:*:*:*). The root cause is CWE-862 (Missing Authorization): one or more of the theme's AJAX handlers, REST API endpoints, or admin-facing hooks does not call the appropriate WordPress capability check (e.g., current_user_can()) before executing a privileged operation. In WordPress's role hierarchy, 'subscriber' is the lowest registered user role and is granted only read access by default. A properly implemented theme must gate any write or administrative function behind an explicit capability assertion. The absence of that check collapses the privilege boundary between subscriber and higher roles, allowing low-privileged users to invoke functionality intended for editors or administrators.
RemediationAI
Update the Genemy theme to the latest version available in the WordPress theme repository or from jthemes directly, as all releases at or below 1.6.6 are confirmed vulnerable; the exact patched version number is not independently confirmed from the available data, so administrators should verify the current release from the Patchstack advisory at https://patchstack.com/database/wordpress/theme/genemy/vulnerability/wordpress-genemy-theme-1-6-6-broken-access-control-vulnerability before upgrading. As a compensating control, disable open user registration on the WordPress site (Settings → General → uncheck 'Anyone can register') to eliminate the subscriber account creation path that enables exploitation - note this prevents legitimate self-service signups as a trade-off. Additionally, deploy a WordPress security plugin such as Wordfence or a web application firewall rule that restricts unanticipated AJAX and REST API calls from subscriber-role sessions until a confirmed patched version is applied.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210205