Impact
The Homey theme for WordPress contains an authentication bypass flaw that permits an unauthenticated user to log in as the first verified account in the system. The defect arises because the theme does not check whether the 'verification_id' field is empty on the dashboard user profile page, allowing the value to be submitted without validation. This flaw falls under CWE‑288 (Authentication Mechanism Failure). If exploited, an attacker gains the privileges of that verified user, which can include administrative capabilities on the WordPress site, potentially compromising site content, configuration, and user data.
Affected Systems
The vulnerability affects the Homey WordPress theme distributed by Fave Themes version 2.4.3 and all earlier releases. No other vendor or product is listed, and the affected versions are not further narrowed beyond the final release number 2.4.3.
Risk and Exploitability
The CVSS score of 8.1 classifies the issue as high severity. The EPSS score of less than 1 % indicates limited historic exploitation probability, and the vulnerability is not included in the CISA KEV catalog. The likely attack vector is remote web‑based interaction with the dashboard profile page, and the attack requires no prior authentication but does need at least one verified user to exist. An attacker could exploit the missing empty value check to authenticate as that user, thereby achieving the impact described above.
OpenCVE Enrichment
EUVD