CVE-2025-26733
Published: 27 March 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-26733 is a missing authorization vulnerability, classified under CWE-862, in the Traveler WordPress theme developed by shinetheme. The issue affects all versions of the Traveler theme from n/a through those prior to 3.2.1. Published on 2025-03-27, it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L), highlighting its high severity due to network accessibility and lack of prerequisites.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation enables high integrity impact, allowing unauthorized modifications to application data, alongside low availability impact, potentially disrupting service partially.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-1-8-broken-access-control-vulnerability?_s_id=cve details the broken access control issue in the Traveler theme, with mitigation achieved by updating to version 3.2.1 or later, as versions through < 3.2.1 remain vulnerable.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a remote unauthenticated vulnerability in a public-facing WordPress theme, directly enabling exploitation via T1190. The high integrity impact from unauthorized modifications to application data directly facilitates T1565.001 Stored Data Manipulation.