CVE-2025-39367
Description
Missing Authorization vulnerability in SeventhQueen Kleo kleo.This issue affects Kleo: from n/a through < 5.4.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Kleo WordPress theme before 5.4.4 has a missing authorization vulnerability, allowing unauthenticated access to privileged functions.
The Kleo WordPress theme, versions before 5.4.4, contains a missing authorization vulnerability that leads to broken access control. This flaw arises from insufficient permission checks in certain functions, allowing unauthenticated users to perform actions that should require higher privileges [1].
Attackers can exploit this vulnerability without any authentication by sending specially crafted requests to vulnerable endpoints. The vulnerability is actively used in mass-exploit campaigns targeting thousands of websites, regardless of their size or popularity [1].
Successful exploitation could allow an attacker to access sensitive functionality, potentially leading to unauthorized data exposure or site compromise. The CVSS score of 5.3 (Medium) reflects the potential for partial impact on confidentiality and integrity without requiring authentication [1].
The issue has been addressed in version 5.4.4 of the Kleo theme. Users are strongly advised to update immediately. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.