Description
The Buzz Club – Night Club, DJ and Music Festival Event WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cmsmasters_hide_admin_notice' function in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'hide' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration.
Published: 2025-01-18
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Option Modification Leading to Site Downtime
Action: Apply Patch
AI Analysis

Impact

The Buzz Club – Night Club, DJ and Music Festival Event WordPress Theme contains a missing capability check in the cmsmasters_hide_admin_notice function. This flaw allows an authenticated user with Subscriber role or higher to change theme option values. Because these options can control error handling, registration settings, or other critical behaviors, an attacker can corrupt configuration data and trigger an error that disrupts user access, potentially leading to a denial of service. The weakness is a classic missing authorization flaw, labeled CWE‑862.

Affected Systems

Vendors: cmsmasters. Product: Buzz Club – Night Club, DJ and Music Festival Event WordPress Theme. Versions affected are all releases up to and including 2.0.4.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% shows low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, reflecting the limited exploit activity so far. Attackers must authenticate with a Subscriber or higher account to exploit the flaw, which narrows the attack window to users who can log in. Once authenticated, the user can modify options to create site errors or disrupt services without requiring any additional privileges.

Generated by OpenCVE AI on April 22, 2026 at 13:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Buzz Club theme to the latest version (2.0.5 or newer) which removes the orphaned capability check.
  • If an upgrade is not immediately possible, reset all theme options to their default values and restrict the ability of Subscriber accounts to edit theme options via a role‑based access control plugin.
  • Implement monitoring of theme option changes and review user activity logs to detect unauthorized modifications.

Generated by OpenCVE AI on April 22, 2026 at 13:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1729 The Buzz Club – Night Club, DJ and Music Festival Event WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cmsmasters_hide_admin_notice' function in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'hide' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration.
History

Tue, 21 Jan 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 18 Jan 2025 07:15:00 +0000

Type Values Removed Values Added
Description The Buzz Club – Night Club, DJ and Music Festival Event WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cmsmasters_hide_admin_notice' function in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'hide' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration.
Title Buzz Club – Night Club, DJ and Music Festival Event WordPress Theme <= 2.0.4 - Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Option Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:25.366Z

Reserved: 2025-01-16T14:38:21.630Z

Link: CVE-2025-0515

cve-icon Vulnrichment

Updated: 2025-01-21T21:26:52.940Z

cve-icon NVD

Status : Deferred

Published: 2025-01-18T07:15:09.903

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-0515

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:45:18Z

Weaknesses