Description
Missing Authorization vulnerability in uxper Sala allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Sala: from n/a through 1.1.3.
Published: 2025-07-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization flaw in the uxper Sala WordPress theme blinds the plugin to enforcement of access control lists, permitting anyone who can request the theme’s protected functions to use them without proper authentication. This breach of access control can lead to privilege escalation from a low‑privileged visitor to performing actions that should be limited to administrators, potentially compromising site integrity. The flaw, classified as CWE‑862, directly undermines the expected isolation between user roles within the theme’s functionality, revealing a classic broken access control scenario.

Affected Systems

The vulnerability impacts the Sala theme developed by uxper. Any deployment of the theme at or below version 1.1.3 is affected. This includes all sites that have installed samples of the theme from its initial release up through the 1.1.3 release inclusive.

Risk and Exploitability

With a CVSS score of 7.5, the flaw is considered high severity. The EPSS score is under 1%, indicating the probability of exploitation is presently low, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Nonetheless, the lack of authorization checks means an attacker could, by simply sending crafted HTTP requests to the theme’s endpoints, trigger the unauthorized operations. The attack path requires only web access to the site and does not depend on additional privileges or special conditions, making the exploitation relatively straightforward if an attacker discovers the exposed functionality.

Generated by OpenCVE AI on April 30, 2026 at 09:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Sala theme to the latest version that addresses the access control issue.
  • If an upgrade is not immediately possible, block or restrict access to the theme’s protected endpoints (e.g., via .htaccess rules or a security‑plugins capability filter) so that only authenticated administrators can reach them.
  • Apply an additional layer of access control by configuring the WordPress installation to enforce the "administrator" capability for any actions provided by the Sala theme, ensuring that all privileged operations are gated behind proper authorization checks.

Generated by OpenCVE AI on April 30, 2026 at 09:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21638 Missing Authorization vulnerability in uxper Sala allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Sala: from n/a through 1.1.3.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in uxper Sala sala allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Sala: from n/a through <= 1.1.3. Missing Authorization vulnerability in uxper Sala allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Sala: from n/a through 1.1.3.
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in uxper Sala allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Sala: from n/a through 1.1.3. Missing Authorization vulnerability in uxper Sala sala allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Sala: from n/a through <= 1.1.3.
References

Wed, 16 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00029}

Wed, 16 Jul 2025 11:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in uxper Sala allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Sala: from n/a through 1.1.3.
Title WordPress Sala theme <= 1.1.3 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:19.397Z

Reserved: 2025-06-19T10:03:28.881Z

Link: CVE-2025-52803

cve-icon Vulnrichment

Updated: 2025-07-16T14:17:36.877Z

cve-icon NVD

Status : Deferred

Published: 2025-07-16T12:15:29.367

Modified: 2026-04-28T19:33:28.233

Link: CVE-2025-52803

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T09:45:25Z

Weaknesses