Description
The Zegen - Church WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX endpoints in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import, export, and update theme options.
Published: 2025-03-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized theme option manipulation
Action: Patch
AI Analysis

Impact

The Zegen - Church WordPress Theme contains a missing capability check on several AJAX endpoints. This flaw allows any authenticated user with Subscriber-level access or higher to import, export, and update theme options. The weakness corresponds to CWE-862, lacking proper authorization enforcement. An attacker can import, export, and update theme options.

Affected Systems

The vulnerability affects the Zegen - Church WordPress Theme delivered by zozothemes. All releases up to and including version 1.1.9 are impacted, including any WordPress site that has installed these versions of the theme.

Risk and Exploitability

The CVSS score of 4.3 places this issue in the moderate severity range, indicating that while it does not enable full code execution, it grants significant administrative control over theme configuration. The EPSS score of less than 1% shows a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be an authenticated user; an attacker must first obtain legitimate login credentials or a session cookie to benefit from the missing authorization. Once authenticated, the attacker can exploit the unprotected AJAX endpoints to alter theme options.

Generated by OpenCVE AI on April 22, 2026 at 01:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Zegen - Church WordPress Theme to the latest released version that includes the missing capability check.
  • If an update is not immediately available, restrict Subscriber-level users from accessing the WordPress administrative area or remove the AJAX endpoints temporarily via custom code or a security plugin.
  • Audit all theme options for unexpected changes and restore any configurations that have been tampered with.
  • Monitor site logs for unusual activity on theme‑related AJAX endpoints and keep an eye on any future updates from zozothemes that address this flaw.

Generated by OpenCVE AI on April 22, 2026 at 01:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7557 The Zegen - Church WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX endpoints in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import, export, and update theme options.
History

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00047}

 epss

{'score': 0.00062}

Thu, 10 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 21 Mar 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Zozothemes
Zozothemes zegen
CPEs cpe:2.3:a:zozothemes:zegen:*:*:*:*:*:wordpress:*:*
Vendors & Products Zozothemes
Zozothemes zegen

Fri, 14 Mar 2025 05:30:00 +0000

Type Values Removed Values Added
Description The Zegen - Church WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX endpoints in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import, export, and update theme options.
Title Zegen - Church WordPress Theme <= 1.1.9 - Missing Authorization to Authenticated (Subscriber+) Theme Options Updates
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Zozothemes Zegen
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:11.179Z

Reserved: 2025-03-13T16:31:13.634Z

Link: CVE-2025-2289

cve-icon Vulnrichment

Updated: 2025-04-10T14:50:26.444Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-14T06:15:25.230

Modified: 2025-03-21T15:03:12.617

Link: CVE-2025-2289

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:00:05Z

Weaknesses