CVE-2025-60165

Vulnerability

Overview The Frames WordPress theme by HaruTheme, versions up to and including 1.5.7, suffers from a missing authorization vulnerability. The theme fails to properly enforce access control checks, allowing unauthorized users to perform actions intended for higher privileged roles. This bug is categorized as a broken access control issue, stemming from the absence of proper nonce or capability checks in certain functions.

Exploitation

Conditions An attacker does not need authentication to exploit this vulnerability. By crafting specific requests, an unauthenticated attacker may trigger functions that should require elevated privileges. This can be done through direct HTTP requests or by tricking a site administrator into performing actions via cross-site request forgery (CSRF). The attack surface is broad, as the vulnerability affects all sites running the vulnerable theme version.

Impact

Successful exploitation could allow an attacker to gain unauthorized access to restricted functionality, modify theme settings, or escalate privileges on the WordPress site. This could lead to further compromise, such as injecting malicious content or creating rogue administrator accounts. The vulnerability is rated with a CVSS score of 4.3 (medium severity).

Mitigation

The vendor has not released a patched version as of this writing. Users are strongly advised to update the theme when a fix becomes available. In the interim, site administrators should implement web application firewall (WAF) rules to block suspicious requests and review user roles and capabilities. Given that this type of vulnerability is frequently used in mass exploitation campaigns, immediate action is recommended [1].