Medium severity5.3NVD Advisory· Published Dec 9, 2025· Updated Apr 15, 2026

CVE-2025-67572

Description

Missing Authorization vulnerability in PenciDesign PenNews pennews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PenNews: from n/a through < 6.7.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing authorization in PenNews theme <6.7.4 allows unauthenticated attackers to exploit incorrect access control, potentially accessing restricted features.

Vulnerability

The PenNews WordPress theme suffers from a missing authorization vulnerability, classified as broken access control [1]. This flaw allows attackers to bypass intended security checks and perform actions that should require higher privileges. The vulnerability affects all versions prior to 6.7.4.

Exploitation

Attackers can exploit this issue without needing prior authentication or elevated permissions [1]. By sending specially crafted requests, they can invoke administrative functions or view sensitive content. The lack of proper authorization checks makes it possible for unprivileged users to execute actions reserved for administrators.

Impact

Successful exploitation can lead to unauthorized access to administrative interfaces, modification of website settings, or disclosure of confidential data. In some cases, this can result in full site takeover or inclusion in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vulnerability is patched in version 6.7.4 of the PenNews theme. Users are strongly advised to update immediately. If updating is not possible, implement security measures such as restricting access to sensitive endpoints or using a web application firewall [1].

References

Broken Access Control in WordPress PenNews Theme

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Pennewsinferred2 versions
<6.7.4+ 1 more
- (no CPE)range: <6.7.4
- (no CPE)range: < 6.7.4
Package: https://wordpress.org/themes/pennews

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/Wordpress/Theme/pennews/vulnerability/wordpress-pennews-theme-6-7-4-broken-access-control-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000