Medium severity4.3NVD Advisory· Published Dec 9, 2025· Updated Apr 27, 2026

CVE-2025-66527

Description

Missing Authorization vulnerability in VanKarWai Lobo lobo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lobo: from n/a through <= 2.8.6.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing authorization in Lobo theme <=2.8.6 allows unauthenticated attackers to exploit incorrectly configured access controls.

Vulnerability

Overview

CVE-2025-66527 is a missing authorization vulnerability in the VanKarWai Lobo WordPress theme, affecting versions from n/a through 2.8.6.8.6. The issue stems from an incorrectly configured access control security level, which fails to properly enforce authorization checks on certain functions. This type of flaw is classified as a broken access control vulnerability, where missing authentication or nonce token checks can allow unprivileged users to execute actions that should require higher privileges [1].

Exploitation

Attackers can exploit this vulnerability without needing any prior authentication or special privileges. The missing authorization check means that any visitor to a WordPress site running the vulnerable Lobo theme can potentially trigger privileged actions. This makes the attack surface broad, as no special network position or network position is required beyond being able to send requests to the affected site. The vulnerability is particularly dangerous because it can be used in mass-exploit campaigns, targeting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation allows an attacker to perform actions that should be restricted to higher-privileged users, such as administrators. This could include modifying theme settings, accessing sensitive data, or performing other unauthorized operations. The exact impact depends on the specific functions that lack authorization checks, but the core issue is that an attacker can bypass access controls and act with elevated privileges [1].

Mitigation

The vendor has released a patch is available by updating the Lobo theme to a version newer than 2.8.6. Users are strongly advised to update immediately. If updating is not possible, it is recommended to contact the hosting provider or a web developer for assistance. The vulnerability has a CVSS v3 score of 4.3, indicating a medium severity, but its ease of exploitation and potential for mass exploitation in mass campaigns make it a significant risk [1].

References

Broken Access Control in WordPress Lobo Theme

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

VanKarWai/Lobollm-fuzzy
Range: <=2.8.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/Wordpress/Theme/lobo/vulnerability/wordpress-lobo-theme-2-8-6-broken-access-control-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000