CVE-2025-26920

Vulnerability

Overview

The Customify theme for WordPress, versions 0.4.8 and below, contains a missing authorization vulnerability [1]. The issue stems from an incorrectly configured access control security level within the theme's code, which fails to properly authenticate or authorize users before allowing certain higher-privileged actions. This broken access control flaw means that functions that should require administrative or editor-level permissions are accessible without adequate checks.

Exploitation

Attackers can exploit this vulnerability remotely without needing prior authentication or special network access, as the vulnerability affects the core logic of the theme's permission handling [1]. By crafting specific requests, an unprivileged user—such as a subscriber or even a visitor—can bypass intended access restrictions. The lack of nonce token verification or capability checks in the affected function(s) makes it possible to trigger privileged operations from a low-privilege context.

Impact

Successful exploitation allows an attacker to perform actions that should be reserved for higher-privileged users, such as modifying theme settings, injecting malicious content, or otherwise compromising the site's integrity [1]. This vulnerability is considered a medium-severity risk (CVSS 5.4) and has been observed in mass-exploit campaigns, where attackers automate attacks against thousands of WordPress sites [1].

Mitigation

The vendor has released a patch; users should update the Customify theme to the latest available version immediately [1]. For those unable to update, consulting with a hosting provider or web developer for interim security measures is recommended. There is no mention of the vulnerability being listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at this time.