Description
Missing Authorization vulnerability in themeton Acerola acerola allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Acerola: from n/a through <= 1.6.5.
Published: 2025-05-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Acerola theme for WordPress implements a missing authorization check that permits users to exploit incorrectly configured access control settings. This results in unauthorized access to privileged functions provided by the theme. The flaw is classified as CWE‑862 and allows anyone who can trigger the vulnerable functionality to perform actions that should be restricted to users with appropriate privileges.

Affected Systems

Acerola theme versions up to and including 1.6.5 from the vendor themeton are affected. Any instance of the theme deployed on a WordPress site, regardless of the site’s overall security posture, is vulnerable if its version is 1.6.5 or earlier.

Risk and Exploitability

The vulnerability scores a CVSS of 5.3, indicating a moderate impact. The EPSS is below 1 %, suggesting a low likelihood of widespread exploitation at this time. It is not listed in the CISA KEV catalog, and the attack vector is inferred to be web‑based, requiring the attacker to reach and invoke UI or API endpoints provided by the theme. The potential impact is the unauthorized execution of privileged theme operations, but it does not provide remote code execution or data exfiltration beyond the scope of theme‑controlled functionality.

Generated by OpenCVE AI on April 30, 2026 at 19:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Acerola theme to the latest available version (1.6.6 or newer)
  • If an upgrade is not immediately possible, deactivate or remove the Acerola theme from the WordPress installation
  • Conduct a review of the theme’s code to ensure that all privileged operations are protected by appropriate authorization checks and monitor the site for anomalous activity

Generated by OpenCVE AI on April 30, 2026 at 19:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15462 Missing Authorization vulnerability in themeton Acerola allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Acerola: from n/a through 1.6.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in themeton Acerola allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Acerola: from n/a through 1.6.5. Missing Authorization vulnerability in themeton Acerola acerola allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Acerola: from n/a through <= 1.6.5.
Title WordPress Acerola <= 1.6.5 - Broken Access Control Vulnerability WordPress Acerola theme <= 1.6.5 - Broken Access Control Vulnerability
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Fri, 16 May 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 May 2025 16:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in themeton Acerola allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Acerola: from n/a through 1.6.5.
Title WordPress Acerola <= 1.6.5 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:04.723Z

Reserved: 2025-03-26T09:25:47.353Z

Link: CVE-2025-31066

cve-icon Vulnrichment

Updated: 2025-05-16T16:06:13.807Z

cve-icon NVD

Status : Deferred

Published: 2025-05-16T16:15:36.737

Modified: 2026-04-23T15:27:38.600

Link: CVE-2025-31066

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:00:14Z

Weaknesses