Scriptsbundle AdForest, a WordPress theme, suffers from a missing authorization flaw that allows an attacker to perform operations normally reserved for privileged users. The vulnerability stems from incorrectly configured access control security levels, enabling unauthorized individuals to access or modify sensitive administrative features without proper authentication. Consequently, an attacker could potentially add, edit, or delete listings, upload malicious content, or manipulate user data, compromising the integrity and confidentiality of the site’s content and user information.

All installations of the AdForest theme supplied by scriptsbundle that are at version 6.0.11 or older are affected. Any WordPress site using this theme, regardless of user role, could be exploited until the theme is updated beyond 6.0.11.

The CVSS v3 score of 5.3 indicates moderate severity. The EPSS score is reported as less than 1 %, signalling a low probability of exploitation at this time. The issue is not listed in CISA’s KEV catalog. Based on the description, it is inferred that exploitation is likely possible from any authenticated user with normal privileges, or even from an unauthenticated attacker if the site’s access controls are poorly configured. Because the flaw is purely an authorization issue, it does not require network-level or high-level privileges and can be triggered by directing a user to a protected administrative URL or by abusing a legitimate session.