CVE-2025-26956

High

Published: 27 March 2025

Published

27 March 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

EPSS Score 0.0022 43.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-26956 is a Missing Authorization vulnerability (CWE-862) in the shinetheme Traveler WordPress theme. This issue affects Traveler versions from n/a through those prior to 3.2.1.

The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H). Low-privileged users (PR:L) can exploit it remotely over the network with low attack complexity and without requiring user interaction, potentially resulting in low confidentiality and integrity impacts alongside high availability disruption.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-1-8-broken-access-control-vulnerability-2?_s_id=cve details the broken access control issue in the Traveler theme. Mitigation requires updating to Traveler version 3.2.1 or later.

Details

CWE(s): CWE-862

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Missing authorization (broken access control) vulnerability in a public-facing WordPress theme directly enables remote exploitation of the application by low-privileged users.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-1-8-broken-access-control-vulnerability-2?_s_id=cve
audit@patchstack.com