CVE-2025-67568

Vulnerability

Overview The Basel WordPress theme, versions 5.9.1 and earlier, contains a missing authorization vulnerability. This flaw stems from an incorrectly configured access control security level, which fails to properly enforce privilege checks on certain functions. As a result, the theme does not adequately verify that a user has the necessary permissions before allowing access to higher-privileged actions [1].

Exploitation

Method This vulnerability is classified as a broken access control issue, meaning it can be exploited without requiring authentication or a valid nonce token. Attackers can target thousands of websites running the affected theme in mass-exploit campaigns, regardless of the site's size or popularity. The attack surface is broad because the vulnerability exists in a widely used commercial theme [1].

Impact

Successful exploitation allows an unprivileged user to execute actions that should be reserved for higher-privileged roles, such as administrators. This can lead to unauthorized modification of site settings, content, or other sensitive operations, potentially compromising the entire WordPress installation [1].

Mitigation

The vendor has released a patched version beyond 5.9.1. Users are strongly advised to update the Basel theme immediately. If updating is not possible, site owners should contact their hosting provider or a web developer for assistance. The vulnerability has a CVSS v3 score of 5.3 (Medium), reflecting the potential for widespread exploitation [1].