CVE-2025-64259

The Theater for WordPress plugin, used for managing theater performances, contains a missing authorization vulnerability in versions up to and including 0.18.8. This issue arises from insufficient access control checks, allowing users to exploit incorrectly configured security levels [1].

An attacker can exploit this vulnerability without authentication, sending specially crafted requests to trigger unauthorized actions. The CVSS score of 5.3 (Medium) reflects the low attack complexity and network attack vector. The vulnerability is part of a broken access control class, where missing nonce or capability checks enable privilege escalation [1].

Successful exploitation could allow an unprivileged attacker to perform actions reserved for higher-level users, such as modifying theater schedules or settings. The exact impact depends on the specific functionality exposed, but it could lead to unauthorized data alteration or disclosure [1].

The vulnerability has been addressed in version 0.19 of the plugin. Users are strongly advised to update immediately. For those unable to update, implementing additional access controls or consulting with a web developer is recommended. Patchstack also offers auto-update for vulnerable plugins [1].