Description
Missing Authorization vulnerability in Xpro Xpro Theme Builder xpro-theme-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Xpro Theme Builder: from n/a through <= 1.2.8.4.
Published: 2025-04-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a broken access control flaw in the Xpro Theme Builder plugin that removes necessary authorization checks, allowing an attacker to perform actions on the site they should not have permission to execute. The impact includes unauthorized reading, editing, or deletion of site content and configuration, which could lead to data integrity issues, site defacement, or further compromise of the WordPress installation. This weakness corresponds to CWE-862, Authorization Bypass Through User-Controlled Data.

Affected Systems

The vendor Xpro provides the Xpro Theme Builder plugin. All releases up to and including version 1.2.8.4 are affected; no earlier version boundary is specified in the advisory. WordPress sites utilizing any of these plugin versions are at risk until the issue is patched.

Risk and Exploitability

The assessed CVSS score is 4.3, indicating moderate severity, and the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not catalogued under the CISA Known Exploited Vulnerabilities (KEV). Because the flaw is an authorization bypass, the typical exploitation route would involve an authenticated user or an attacker that can masquerade with elevated privileges; this inference is based on the nature of the weakness and the description. Successful exploitation would allow the attacker to conduct unauthorized actions through the plugin’s exposed functionality.

Generated by OpenCVE AI on May 1, 2026 at 00:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Xpro Theme Builder plugin to version 1.2.8.5 or later, which removes the missing authorization checks.
  • Reconfigure WordPress user roles to enforce the principle of least privilege, ensuring that only trusted administrators have the capability to manage theme builder settings.
  • Deploy application-layer defenses such as a web‑application firewall or rate‑limiting rules targeting the plugin’s API endpoints to mitigate potential unauthorized access attempts while the patch is applied.

Generated by OpenCVE AI on May 1, 2026 at 00:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9827 Missing Authorization vulnerability in Xpro Xpro Theme Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Xpro Theme Builder: from n/a through 1.2.8.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Xpro Xpro Theme Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Xpro Theme Builder: from n/a through 1.2.8.3. Missing Authorization vulnerability in Xpro Xpro Theme Builder xpro-theme-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Xpro Theme Builder: from n/a through <= 1.2.8.4.
Title WordPress Xpro Theme Builder Plugin <= 1.2.8.3 - Broken Access Control vulnerability WordPress Xpro Theme Builder Plugin <= 1.2.8.4 - Broken Access Control vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Fri, 04 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Xpro Xpro Theme Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Xpro Theme Builder: from n/a through 1.2.8.3.
Title WordPress Xpro Theme Builder Plugin <= 1.2.8.3 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:18.653Z

Reserved: 2025-04-04T10:01:28.633Z

Link: CVE-2025-32201

cve-icon Vulnrichment

Updated: 2025-04-04T19:52:58.850Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T16:15:30.253

Modified: 2026-04-23T15:28:44.820

Link: CVE-2025-32201

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T00:30:04Z

Weaknesses