Description
The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.7.0. This is due to the plugin not properly validating a user's identity prior to setting an authorization cookie. This makes it possible for unauthenticated attackers to log in as any user, including administrators, provided they know the user's email address. CVE-2025-54725 is likely a duplicate of this issue.
Published: 2025-06-03
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover via Unauthorized Cookie
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the Golo – City Travel Guide WordPress Theme allows an unauthenticated attacker to set an authorization cookie for any user by providing that user’s email address. This bypasses the theme’s identity validation, granting the attacker full privileges, including administrative rights. It is an instance of improper authentication (CWE‑288) and effectively leads to a direct account takeover, compromising confidentiality, integrity, and availability of the affected WordPress site.

Affected Systems

All deployments of the Golo theme produced by uxper, specifically versions up to and including 1.7.0, are affected. The flaw exists in any WordPress installation that has installed this theme.

Risk and Exploitability

The CVSS score of 9.8 classifies the flaw as critical, but the EPSS score of less than 1% indicates that exploitation is expected to be rare at present. The flaw is not listed in the CISA KEV catalog. Attackers need no credentials, only a valid user email, and once supplied can gain immediate control. While the lack of known public exploitation and the necessity of insider knowledge reduce the urgency compared to some zero‑day threats, the severity of the impact warrants prompt action.

Generated by OpenCVE AI on April 21, 2026 at 20:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Golo theme to the latest release that includes the authentication validation fix
  • If an upgrade is not possible immediately, limit administrative area access by IP whitelisting or enable multi‑factor authentication for all administrator accounts
  • Monitor for anomalous login activity and unauthorized cookie usage using a security plugin or Web Application Firewall

Generated by OpenCVE AI on April 21, 2026 at 20:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16696 The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.7.0. This is due to the plugin not properly validating a user's identity prior to setting an authorization cookie. This makes it possible for unauthenticated attackers to log in as any user, including administrators, provided they know the user's email address.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.7.0. This is due to the plugin not properly validating a user's identity prior to setting an authorization cookie. This makes it possible for unauthenticated attackers to log in as any user, including administrators, provided they know the user's email address. The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.7.0. This is due to the plugin not properly validating a user's identity prior to setting an authorization cookie. This makes it possible for unauthenticated attackers to log in as any user, including administrators, provided they know the user's email address. CVE-2025-54725 is likely a duplicate of this issue.

Tue, 03 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 03 Jun 2025 04:30:00 +0000

Type Values Removed Values Added
Description The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.7.0. This is due to the plugin not properly validating a user's identity prior to setting an authorization cookie. This makes it possible for unauthenticated attackers to log in as any user, including administrators, provided they know the user's email address.
Title Golo <= 1.7.0 - Authentication Bypass to Account Takeover
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:25.504Z

Reserved: 2025-05-15T18:22:15.692Z

Link: CVE-2025-4797

cve-icon Vulnrichment

Updated: 2025-06-03T14:50:22.915Z

cve-icon NVD

Status : Deferred

Published: 2025-06-03T05:15:20.323

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4797

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:30:27Z

Weaknesses