Skip to main content

Genemy WordPress Theme EUVDEUVD-2025-210205

| CVE-2025-69137 MEDIUM
Missing Authorization (CWE-862)
2026-06-16 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
6.5 MEDIUM

PR:L reflects mandatory subscriber authentication; I:H captures unauthorized write capability; C:N and A:N because no data exfiltration or service disruption is indicated.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 00:32 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in Genemy <= 1.6.6 versions.

AnalysisAI

Broken access control in the Genemy WordPress theme (versions ≤1.6.6) permits subscriber-level authenticated users to perform high-integrity write operations that are supposed to be restricted to higher-privileged roles such as editor or administrator. The flaw originates from missing authorization checks (CWE-862) on theme-registered functionality, meaning the theme does not verify whether the requesting user holds sufficient WordPress capabilities before executing privileged actions. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the CVSS integrity impact rating of High and low attack complexity signal meaningful unauthorized content or configuration modification potential for any attacker able to obtain a subscriber account.

Technical ContextAI

Genemy is a commercial WordPress theme developed by jthemes (CPE: cpe:2.3:a:jthemes:genemy:*:*:*:*:*:*:*:*). The root cause is CWE-862 (Missing Authorization): one or more of the theme's AJAX handlers, REST API endpoints, or admin-facing hooks does not call the appropriate WordPress capability check (e.g., current_user_can()) before executing a privileged operation. In WordPress's role hierarchy, 'subscriber' is the lowest registered user role and is granted only read access by default. A properly implemented theme must gate any write or administrative function behind an explicit capability assertion. The absence of that check collapses the privilege boundary between subscriber and higher roles, allowing low-privileged users to invoke functionality intended for editors or administrators.

RemediationAI

Update the Genemy theme to the latest version available in the WordPress theme repository or from jthemes directly, as all releases at or below 1.6.6 are confirmed vulnerable; the exact patched version number is not independently confirmed from the available data, so administrators should verify the current release from the Patchstack advisory at https://patchstack.com/database/wordpress/theme/genemy/vulnerability/wordpress-genemy-theme-1-6-6-broken-access-control-vulnerability before upgrading. As a compensating control, disable open user registration on the WordPress site (Settings → General → uncheck 'Anyone can register') to eliminate the subscriber account creation path that enables exploitation - note this prevents legitimate self-service signups as a trade-off. Additionally, deploy a WordPress security plugin such as Wordfence or a web application firewall rule that restricts unanticipated AJAX and REST API calls from subscriber-role sessions until a confirmed patched version is applied.

Share

EUVD-2025-210205 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy