Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in uxper Golo golo allows Authentication Abuse.This issue affects Golo: from n/a through <= 1.7.0.
Published: 2025-08-28
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an authentication bypass that arises from the Golo theme’s inability to properly verify authenticated sessions. By exploiting this flaw, an attacker can gain unauthorized access to the WordPress site and execute actions with the privileges of an authenticated user. The weakness is classified as CWE‑288, an Authentication Bypass flaw, and its impact includes potential compromise of confidentiality, integrity, and availability of the site.

Affected Systems

The issue affects the WordPress Golo theme supplied by uxper. All installations of the theme from the earliest available version through version 1.7.0 are vulnerable. Site operators should check that the Golo theme is either upgraded or removed if it is present.

Risk and Exploitability

The flaw carries a CVSS score of 9.8, indicating critical severity. The EPSS score is less than 1%, suggesting that exploitation has not been widely reported, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is via the web interface of the WordPress site, exploiting the theme’s alternate authentication path or channel as described. While defensive controls such as web application firewalls may reduce exposure, the core requirement for exploitation is that the vulnerable Golo theme remains active on a publicly reachable WordPress installation.

Generated by OpenCVE AI on April 30, 2026 at 07:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Golo theme to version 1.8 or later to eliminate the authentication bypass flaw.
  • If an upgrade is not immediately possible, deactivate the Golo theme and remove it from the active theme list in WordPress.
  • Implement a web application firewall rule designed to block requests that target the alternate authentication path or channel associated with the vulnerability.

Generated by OpenCVE AI on April 30, 2026 at 07:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25974 Authentication Bypass Using an Alternate Path or Channel vulnerability in uxper Golo allows Authentication Abuse. This issue affects Golo: from n/a through 1.7.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in uxper Golo allows Authentication Abuse. This issue affects Golo: from n/a through 1.7.0. Authentication Bypass Using an Alternate Path or Channel vulnerability in uxper Golo golo allows Authentication Abuse.This issue affects Golo: from n/a through <= 1.7.0.
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 28 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Uxper
Uxper golo
Wordpress
Wordpress wordpress
Vendors & Products Uxper
Uxper golo
Wordpress
Wordpress wordpress

Thu, 28 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in uxper Golo allows Authentication Abuse. This issue affects Golo: from n/a through 1.7.0.
Title WordPress Golo Theme <= 1.7.0 - Broken Authentication Vulnerability
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Uxper Golo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:35.872Z

Reserved: 2025-07-28T10:56:24.797Z

Link: CVE-2025-54725

cve-icon Vulnrichment

Updated: 2025-08-28T18:20:44.742Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T13:16:08.470

Modified: 2026-04-23T15:32:53.460

Link: CVE-2025-54725

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:45:26Z

Weaknesses