CVE-2025-49396

Vulnerability

Overview

The Themify Builder plugin for WordPress, versions up to and including 7.6.7, contains a missing authorization vulnerability. This is a broken access control issue where the plugin fails to properly check user permissions or nonce tokens in certain functions, allowing unprivileged users to execute actions that should require higher privileges [1].

Exploitation

Anation and Attack Surface

An attacker can exploit this vulnerability without needing any special authentication, as the missing authorization check means any user (including unauthenticated visitors) may be able to trigger privileged operations. The attack surface is broad because the plugin is widely used, and the vulnerability can be leveraged in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Impact

Successful exploitation allows an attacker to perform actions normally restricted to higher-privileged users, such as modifying site content or settings. This could lead to unauthorized changes, data exposure, or further compromise of the WordPress installation [1].

Mitigation

The vendor has released version 7.6.8 which fixes the vulnerability. Users are strongly advised to update immediately. For those unable to update, they should contact their hosting provider or web developer for assistance. Patchstack users can enable auto-updates for vulnerable plugins [1].