Description
Missing Authorization vulnerability in Themes4WP Bulk allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Bulk: from n/a through 1.0.11.
Published: 2025-05-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Bulk theme plugin for WordPress contains a missing authorization flaw that permits users lacking proper privileges to invoke administrative functions that should be restricted. This broken access control can lead to unauthorized configuration changes or data exposure within the site, as the vulnerability arises from improper enforcement of ACLs in the plugin’s code. The weakness is classified as CWE-862.

Affected Systems

Bulk theme (Themes4WP:Bulk) from any prior release up through version 1.0.11. Although the product identifier is “Themes4WP:Bulk,” the vulnerability affects all deployments of this theme until an update beyond 1.0.11 is installed.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate risk, while the EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Exploitation would most likely occur through normal web requests to the theme’s publicly exposed endpoints; an attacker needs only valid user credentials that grant some level of site access but not administrative rights. Once the attacker interacts with the vulnerable functions, they can perform privileged operations that should otherwise be forbidden.

Generated by OpenCVE AI on May 1, 2026 at 08:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Bulk theme to the latest version (1.0.12 or later) which resolves the missing authorization checks.
  • If the theme is not actively required, remove or replace it with a maintained alternative to eliminate the attack surface.
  • Conduct a review of the WordPress site’s user roles and capabilities, ensuring that only users with the appropriate permissions can access or modify theme settings and that the theme’s administrative pages are properly protected by ACLs.

Generated by OpenCVE AI on May 1, 2026 at 08:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27728 Missing Authorization vulnerability in Themes4WP Bulk allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Bulk: from n/a through 1.0.11.
History

Tue, 28 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Themes4WP Bulk bulk allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Bulk: from n/a through <= 1.0.11. Missing Authorization vulnerability in Themes4WP Bulk allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Bulk: from n/a through 1.0.11.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Themes4WP Bulk allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Bulk: from n/a through 1.0.11. Missing Authorization vulnerability in Themes4WP Bulk bulk allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Bulk: from n/a through <= 1.0.11.
References

Tue, 20 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 17:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Themes4WP Bulk allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Bulk: from n/a through 1.0.11.
Title WordPress Bulk theme <= 1.0.11 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:40.878Z

Reserved: 2025-02-17T11:49:35.311Z

Link: CVE-2025-26867

cve-icon Vulnrichment

Updated: 2025-05-20T14:07:06.303Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T17:15:23.510

Modified: 2026-04-28T19:29:45.963

Link: CVE-2025-26867

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:30:12Z

Weaknesses