CVE-2025-58824

What the vulnerability is

The Shk Corporate WordPress theme, versions up to and including 2.4.1.1, contains a missing authorization vulnerability. The root cause is a failure to properly check user permissions or nonce tokens in certain functions, leading to broken access control [1]. This issue is classified as a missing authorization flaw, meaning the theme does not verify that a user has the required privileges before allowing access to higher-privileged actions [1].

How it is exploited

An attacker can exploit this vulnerability without needing any special authentication or elevated privileges. The attack surface is the theme's unauthenticated or low-privilege endpoints that lack proper access control checks. By sending crafted requests, an unprivileged user can trigger functions that should be restricted to administrators or other higher-privileged roles [1]. The vulnerability is particularly dangerous because it can be used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation allows an attacker to perform actions that should require higher privileges, such as modifying theme settings or accessing sensitive data. The CVSS score of 4.3 (Medium) reflects the low complexity and network-based attack vector, though the impact on confidentiality, integrity, and availability is limited [1]. The vulnerability is considered low severity but still poses a risk to sites running the affected theme.

Mitigation

The theme has not been updated for 5 months and is unlikely to receive further patches. The recommended action is to remove and replace the theme entirely. Deactivating the theme does not remove the security threat unless a mitigation rule (e.g., from Patchstack) is deployed [1]. Users should update immediately if a patched version becomes available, or seek help from their hosting provider.