CVE-2025-58004

The DriCub Driving School WordPress theme (versions up to and including 2.9) contains a missing authorization vulnerability. This broken access control issue stems from the lack of proper capability checks or nonce tokens in certain functions, allowing unprivileged users to perform actions intended for higher-privileged roles [1].

Attackers can exploit this vulnerability without authentication, as the access control security levels are incorrectly configured. The attack surface is broad because the theme is used on many WordPress sites, and the vulnerability can be leveraged in mass-exploit campaigns targeting thousands of websites simultaneously, regardless of their size or popularity [1].

Successful exploitation could allow an attacker to execute privileged actions, such as modifying site settings or accessing sensitive data, depending on the specific missing authorization. The CVSS v3 base score of 5.3 (Medium) reflects the potential for unauthorized access without requiring authentication [1].

As an immediate mitigation, users should update the DriCub theme to a patched version if available. If updating is not possible, it is recommended to contact the hosting provider or a web developer for assistance. The vulnerability is actively used in mass-exploit campaigns, so prompt action is advised [1].