The vulnerability involves a missing authorization check in the ThimPress Eduma theme that allows an attacker to exploit incorrectly configured access control security levels. An attacker could gain unauthorized access to administrative or privileged functions within the WordPress site, potentially compromising the confidentiality, integrity, and availability of site content and settings. This flaw is identified as CWE-862, indicating that proper authorization is not enforced where required.

The affected product is the ThimPress Eduma theme for WordPress, specifically all versions up to and including 5.6.4. This includes installations where the theme’s access control settings are not properly configured, potentially allowing unauthorized use of privileged features.

The CVSS score of 5.3 places this vulnerability in the moderate category. Its EPSS score of less than 1% indicates a very low but non‑zero likelihood of exploitation at the time of analysis, and it is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is web‑based through HTTP requests to the theme’s administrative endpoints, and the flaw can be triggered without needing prior authentication, although the exact prerequisites are not explicitly stated. An attacker could exploit the broken access controls to elevate privileges or manipulate site content, making this a concern for site owners who rely on the theme’s default security configuration.