Description
Missing Authorization vulnerability in SeventhQueen Kleo kleo.This issue affects Kleo: from n/a through < 5.4.4.
Published: 2025-04-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization check in the SeventhQueen Kleo WordPress theme that allows users to perform actions or view content that should be restricted. This flaw enables unauthorized access to potentially sensitive data or administrative functions within a WordPress site, compromising the confidentiality and integrity of site content.

Affected Systems

All installations of the Kleo theme by SeventhQueen with version numbers below 5.4.4 are affected. The flaw is present from the earliest available release through any version older than 5.4.4 on WordPress sites.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity vulnerability, while the EPSS score of less than 1% reflects a very low predicted exploitation probability. The flaw is not currently listed in CISA KEV. The lack of an authorization check suggests that an attacker who can access the WordPress site or submit crafted requests could exploit the theme to gain unintended permissions, though the precise attack surface and conditions are not detailed in the advisory.

Generated by OpenCVE AI on April 30, 2026 at 20:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Kleo theme to version 5.4.4 or later to apply the vendor's fix for the authorization issue.
  • If an upgrade cannot be performed immediately, restrict theme functionality for non‑administrative users via role‑based access control or a plugin that disables theme edits for unprivileged roles.
  • Conduct a review of the theme’s code or installed configuration to ensure that any privileged operations now include proper authorization checks, and monitor access logs for suspicious activity.

Generated by OpenCVE AI on April 30, 2026 at 20:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12573 Missing Authorization vulnerability in SeventhQueen Kleo.This issue affects Kleo: from n/a before 5.4.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in SeventhQueen Kleo.This issue affects Kleo: from n/a before 5.4.4. Missing Authorization vulnerability in SeventhQueen Kleo kleo.This issue affects Kleo: from n/a through < 5.4.4.
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Mon, 28 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 28 Apr 2025 09:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in SeventhQueen Kleo.This issue affects Kleo: from n/a before 5.4.4.
Title WordPress Kleo theme < 5.4.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:29.568Z

Reserved: 2025-04-16T06:22:20.495Z

Link: CVE-2025-39367

cve-icon Vulnrichment

Updated: 2025-04-28T12:49:53.197Z

cve-icon NVD

Status : Deferred

Published: 2025-04-28T09:15:21.397

Modified: 2026-04-23T15:29:25.267

Link: CVE-2025-39367

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:00:15Z

Weaknesses