Description
Incorrect Privilege Assignment vulnerability in uxper Togo togo.This issue affects Togo: from n/a through < 1.0.4.
Published: 2025-11-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from incorrect privilege assignment in the Togo WordPress theme. It allows an attacker who can trigger code execution within the theme to assume higher privileges than the account they start with. Identified as CWE‑266, this flaw lets a user with limited permissions perform functions that should be restricted to administrators, potentially exposing site data and configuration.

Affected Systems

All installations of the uxper Togo theme older than version 1.0.4 are affected. Versions from the initial release through, but not including, 1.0.4 contain the flaw, so any site running Togo 1.0.3 or earlier remains vulnerable.

Risk and Exploitability

The CVSS score of 8.8 signals high severity, while the EPSS score of less than 1 % and the absence from the CISA KEV catalog imply low current exploitation probability. Nonetheless the flaw can be abused by an authenticated WordPress user via the theme’s activation or configuration interface. The likely attack vector is an attacker with at least editor access executing privileged theme code, which could result in administrator-level capabilities across the site.

Generated by OpenCVE AI on April 29, 2026 at 13:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Togo theme to version 1.0.4 or later to eliminate the privilege assignment flaw.
  • Restrict theme activation permissions so only administrators can activate or modify the Togo theme, and disable the Theme Editor in wp-config.php for all users.
  • Review and reduce user roles that have access to theme management to eliminate unnecessary privileges.

Generated by OpenCVE AI on April 29, 2026 at 13:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Fri, 07 Nov 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 07 Nov 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in uxper Togo togo.This issue affects Togo: from n/a through < 1.0.4.
Title WordPress Togo theme < 1.0.4 - Privilege Escalation vulnerability
Weaknesses CWE-266
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:49:39.716Z

Reserved: 2025-10-07T15:34:20.408Z

Link: CVE-2025-62034

cve-icon Vulnrichment

Updated: 2025-11-07T14:04:14.839Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:16:09.613

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-62034

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T14:00:12Z

Weaknesses