Skip to main content

Genemy WordPress Theme EUVDEUVD-2025-210230

| CVE-2025-69138 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-06-17 Patchstack
8.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable WordPress endpoint, low complexity, requires a subscriber account (PR:L), no user interaction, and full admin takeover yields C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:40 vuln.today

DescriptionCVE.org

Subscriber Privilege Escalation in Genemy <= 1.6.6 versions.

AnalysisAI

Privilege escalation in the Genemy WordPress theme versions 1.6.6 and earlier allows authenticated subscriber-level users to elevate their privileges to higher roles, gaining administrative control over affected WordPress sites. The flaw, reported by Patchstack and tracked under CWE-266 (Incorrect Privilege Assignment), affects all installations using the jthemes Genemy theme up to and including 1.6.6, and no public exploit identified at time of analysis. Given the low attack complexity and minimal authentication requirement (any subscriber account), this represents a high-impact issue for any WordPress site running the affected theme with open user registration.

Technical ContextAI

Genemy is a commercial WordPress theme distributed by jthemes (CPE: cpe:2.3:a:jthemes:genemy), commonly used for portfolio and creative websites. The underlying weakness is CWE-266 (Incorrect Privilege Assignment), which typically manifests in WordPress themes when AJAX endpoints, profile-update handlers, or role-management functions fail to validate the requesting user's existing capabilities before allowing role changes - for example, missing current_user_can() checks or accepting role parameters directly from client-supplied data. WordPress themes that ship custom user-management features are a recurring source of this class of bug, since theme developers often bypass core WordPress role/capability APIs in favor of custom logic.

RemediationAI

No vendor-released patch identified at time of analysis based on the provided references; administrators should monitor the jthemes vendor page and the Patchstack advisory at https://patchstack.com/database/wordpress/theme/genemy/vulnerability/wordpress-genemy-theme-1-6-6-privilege-escalation-vulnerability for a fixed release above 1.6.6 and upgrade as soon as it is published. As compensating controls, disable open user registration in WordPress (Settings → General → uncheck 'Anyone can register') to remove the subscriber-account prerequisite, audit existing subscriber accounts for unexpected role changes, and consider deploying Patchstack's virtual patching or a WAF rule to block requests to the theme's vulnerable endpoint - note that disabling registration breaks any membership or community functionality that depends on it, and switching themes will lose Genemy-specific styling and templates.

Share

EUVD-2025-210230 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy