Description
Authorization Bypass Through User-Controlled Key vulnerability in Select-Themes Struktur struktur allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Struktur: from n/a through <= 2.5.1.
Published: 2025-12-30
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to bypass authorization controls by manipulating user‑controlled input values that identify protected resources within the Struktur theme. The flaw is an IDOR (CWE‑639) that permits the retrieval or modification of content without proper ownership or permission verification, potentially exposing sensitive or private data to unauthenticated or improperly authorized users.

Affected Systems

The issue affects the Struktur theme provided by Select‑Themes, in all releases from the earliest available version through version 2.5.1.

Risk and Exploitability

The vulnerability has a CVSS score of 5.4, indicating moderate severity. The EPSS score is < 1%, suggesting a low likelihood of exploitation. It is not listed in CISA KEV, meaning no known large‑scale exploitation. The attack vector is an IDOR, requiring manipulation of user‑controlled identifiers in the theme’s access‑controlled functionalities. The impact is limited to unauthorized access to content and modification of user‑specific data, without affecting system‑wide denial of service or code execution.

Generated by OpenCVE AI on April 29, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Struktur theme to any release newer than version 2.5.1, if available, to ensure the underlying IDOR vulnerability is fixed.
  • Restrict or remove access to all theme functionality that accepts externally supplied identifiers, ensuring that only users with the appropriate permissions can view or edit the corresponding resources.
  • Implement input validation and access‑control checks for all user‑controlled identifiers, guaranteeing that a requested object belongs to the current user or session before any data is returned.

Generated by OpenCVE AI on April 29, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 02 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in Select-Themes Struktur struktur allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Struktur: from n/a through <= 2.5.1.
Title WordPress Struktur theme <= 2.5.1 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:34.907Z

Reserved: 2025-12-29T11:18:35.617Z

Link: CVE-2025-69029

cve-icon Vulnrichment

Updated: 2026-01-02T21:58:53.288Z

cve-icon NVD

Status : Deferred

Published: 2025-12-30T11:16:01.470

Modified: 2026-04-27T20:16:25.803

Link: CVE-2025-69029

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T18:30:17Z

Weaknesses