CVE-2025-39398

Vulnerability

Overview CVE-2025-39398 is a missing authorization vulnerability in the WordPress theme Bellevue (versions through 4.2.2). The issue is caused by a broken access control mechanism — specifically, a missing authorization, authentication, or nonce token check in a function. This allows an unprivileged user to execute actions that should require higher privileges [1].

Exploitation

The vulnerability can be exploited remotely without authentication requirements, meaning any unauthenticated visitor to a site running the vulnerable theme could potentially trigger the missing authorization flaw. The attack surface is broad, as the theme is used on WordPress sites. The reference notes that such vulnerabilities are often leveraged in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

Impact

By exploiting this broken access control, an attacker may perform privileged actions such as accessing or modifying protected data or settings, leading to partial loss of confidentiality or integrity. The CVSS v3 severity is rated Medium (4.3) due to the network attack vector and low attack complexity, but no authentication is required for exploitation [1].

Mitigation

The vendor has patched the vulnerability in Bellevue version 4.2.2 or later. Users are strongly advised to update the theme immediately. If updating is not possible, site owners should contact their hosting provider or web developer for assistance. The vulnerability is publicly disclosed and is considered a risk for exploitation in automated attacks [1].