Description
Missing Authorization vulnerability in ThemeMove Makeaholic makeaholic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Makeaholic: from n/a through <= 1.8.5.
Published: 2025-09-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization check in the Makeaholic theme’s code, allowing an attacker to access or modify resources that should be restricted to authorized users. Exploiting incorrect configuration of access control can lead to unauthorized parameter changes, content manipulation, or arbitrary file uploads, potentially compromising site integrity and confidentiality. The flaw is classified under CWE‑862, highlighting an improper enforcement of authorization mechanisms.

Affected Systems

The issue affects the Makeaholic theme from ThemeMove for WordPress, specifically all releases up to and including version 1.8.5. The affected component runs within the WordPress ecosystem, typically installed as a theme by site administrators. Any site that has this theme deployed before the vulnerable version is potentially affected.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of active exploitation at the current time, and the vulnerability is not listed in the CISA KEV catalog. An attacker would need to target the web application, likely by sending crafted HTTP requests to endpoints provided by the theme that lack proper authorization checks. The attack vector is inferred to be remote Web, with local privileges not required.

Generated by OpenCVE AI on April 30, 2026 at 03:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Makeaholic theme to the latest available version above 1.8.5 or remove the theme entirely if an upgrade is not feasible.
  • Verify that only users with appropriate roles can access the theme’s configuration pages and enforce role‑based access controls via WordPress’s built‑in capabilities or a security plugin.
  • If the theme must remain in use, restrict access to its administrative endpoints by applying web server rules such as .htaccess redirects or IP whitelisting, and require authenticated sessions before any theme‑specific action can be performed.

Generated by OpenCVE AI on April 30, 2026 at 03:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26490 Missing Authorization vulnerability in ThemeMove Makeaholic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Makeaholic: from n/a through 1.8.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in ThemeMove Makeaholic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Makeaholic: from n/a through 1.8.5. Missing Authorization vulnerability in ThemeMove Makeaholic makeaholic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Makeaholic: from n/a through <= 1.8.5.
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 28 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Thememove
Thememove makeaholic
CPEs cpe:2.3:a:thememove:makeaholic:*:*:*:*:*:wordpress:*:*
Vendors & Products Thememove
Thememove makeaholic

Wed, 03 Sep 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Sep 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 03 Sep 2025 07:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in ThemeMove Makeaholic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Makeaholic: from n/a through 1.8.5.
Title WordPress Makeaholic Theme <= 1.8.5 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Thememove Makeaholic
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:38:56.517Z

Reserved: 2025-08-27T16:19:10.126Z

Link: CVE-2025-58210

cve-icon Vulnrichment

Updated: 2025-09-03T19:15:31.718Z

cve-icon NVD

Status : Modified

Published: 2025-09-03T07:15:33.963

Modified: 2026-04-23T15:33:18.607

Link: CVE-2025-58210

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:15:26Z

Weaknesses