CVE-2025-62961

Vulnerability

Overview The Sparkle FSE WordPress theme, through version 1.0.9, suffers from a Missing Authorization vulnerability. The root cause is that the theme incorrectly configures access control security levels, failing to properly enforce authorization checks on certain functions. This issue allows users with lower privileges to access or perform actions that should require higher-level permissions [1].

Exploitation

Conditions Exploitation requires no special authentication? The broken access control means that an unprivileged actions meant for administrators can be performed by unauthenticated or lower-privileged users on any WordPress user who can interact with the theme's endpoints. The attack surface is exposed via the theme's codebase, and because it is a theme (not a plugin), simply deactivating the theme does not remove the threat unless a mitigation rule is deployed [1].

Impact

An attacker who successfully exploits this flaw could escalate their privileges or manipulate site settings, themes, or content without authorization. This vulnerability is used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1]. The CVSS v3 score is 5.4 (Medium), indicating a moderate severity due to the potential for widespread automated attacks.

Mitigation

Status The theme has not received updates for five months and is unlikely to receive a patch; the vendor recommends replacing the theme entirely. As a workaround, users can apply a custom security rule, rule or use a Web Application Firewall (WAF) like Patchstack to block exploitation attempts. Since the theme is no longer maintained, the only definitive fix is to remove and replace it with a supported alternative [1].