Description
Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.18.8.
Published: 2025-11-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the Theater for WordPress plugin that allows an attacker to exploit incorrectly configured access control security levels. This flaw enables unauthorized users to perform actions that should be restricted by the plugin’s role checks, potentially leading to unauthorized content manipulation, deletion, or other administrative functions. The weakness is classified as CWE‑862.

Affected Systems

Jeroen Schmit Theatre for WordPress for all releases from the initial release through version 0.18.8 is affected. Sites that have an older or equal version of the plugin installed are at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact, though the EPSS score of less than 1% suggests low probability of exploitation. The vulnerability is listed as not in the CISA KEV catalog, implying that no known widespread exploitation has been reported. The most likely attack vector is automated or manual exploitation via the web interface, where an attacker with limited to no privileges could attempt to trigger administrative actions that should be gated by stronger access checks.

Generated by OpenCVE AI on April 29, 2026 at 20:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Theater for WordPress to a version newer than 0.18.8
  • If an upgrade is not possible, deactivate or uninstall the plugin until a patched version is available
  • Apply WordPress role‑based access controls to limit plugin usage to administrators only

Generated by OpenCVE AI on April 29, 2026 at 20:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 13 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Jeroen Schmit
Jeroen Schmit theater For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Jeroen Schmit
Jeroen Schmit theater For Wordpress
Wordpress
Wordpress wordpress

Thu, 13 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.18.8.
Title WordPress Theater for WordPress plugin <= 0.18.8 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Jeroen Schmit Theater For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:12.742Z

Reserved: 2025-10-29T03:08:22.608Z

Link: CVE-2025-64259

cve-icon Vulnrichment

Updated: 2025-11-13T17:47:33.759Z

cve-icon NVD

Status : Deferred

Published: 2025-11-13T10:15:51.140

Modified: 2026-04-27T16:16:38.373

Link: CVE-2025-64259

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:15:19Z

Weaknesses