Description
Missing Authorization vulnerability in ThemeGoods Photography photography allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Photography: from n/a through <= 7.7.2.
Published: 2025-02-14
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Photography theme (ThemeGoods Photography) contains a missing authorization flaw that allows attackers to bypass intended access control checks. By exploiting incorrectly configured security levels, an attacker can read, modify or delete content that should be protected, potentially enabling further compromise of the site. The weakness is a classic broken access control (CWE‑862).

Affected Systems

All installations of ThemeGoods Photography versions n/a through 7.7.2 are affected. This includes any WordPress site that has loaded the theme prior to the release of the patched version. No support for newer or patched releases is indicated in the current data.

Risk and Exploitability

With a CVSS score of 6.3 the flaw is considered moderate, but the EPSS score of less than 1% indicates a low probability of exploitation at present, and it is not listed in CISA's KEV catalog. The vulnerability can be exploited by any actor who can access the public website, typically via HTTP requests to theme‑specific endpoints. No exploitation prerequisites beyond normal web access are stated, so the attack vector is assumed to be web‑based. If the attacker can identify an unprotected administrative or media endpoint exposed by the theme, the missing authorization check can be leveraged.

Generated by OpenCVE AI on May 1, 2026 at 16:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Photography theme to a version newer than 7.7.2, ensuring the patch replaces the vulnerable access control logic.
  • If an upgrade is not immediately possible, deactivate or uninstall the Photography theme to eliminate the vulnerable code path.
  • Apply additional WordPress security hardening measures, such as enforcing the principle of least privilege for user accounts, restricting file‑upload directories to non‑public areas, and regularly scanning for unauthorized files.

Generated by OpenCVE AI on May 1, 2026 at 16:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2928 Missing Authorization vulnerability in EPC Photography. This issue affects Photography: from n/a through 7.5.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in EPC Photography. This issue affects Photography: from n/a through 7.5.2. Missing Authorization vulnerability in ThemeGoods Photography photography allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Photography: from n/a through <= 7.7.2.
Title WordPress Photography theme <= 7.5.2 - Broken Access Control vulnerability WordPress Photography Theme <= 7.7.2 - Broken Access Control Vulnerability
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00046}

 epss

{'score': 0.00051}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00064}

 epss

{'score': 0.00046}

Fri, 14 Feb 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 14 Feb 2025 13:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in EPC Photography. This issue affects Photography: from n/a through 7.5.2.
Title WordPress Photography theme <= 7.5.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:34:57.319Z

Reserved: 2025-01-07T21:03:24.132Z

Link: CVE-2025-22702

cve-icon Vulnrichment

Updated: 2025-02-14T13:31:18.748Z

cve-icon NVD

Status : Deferred

Published: 2025-02-14T13:15:42.893

Modified: 2026-06-17T08:49:23.670

Link: CVE-2025-22702

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T16:30:20Z

Weaknesses