Description
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes FiveStar fivestar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FiveStar: from n/a through <= 1.7.
Published: 2025-12-30
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The issue is an authorization bypass through a user‑controlled key that allows an attacker to perform insecure direct object references (IDOR). It can enable unauthorized reading, modification, or deletion of data or resources that the user should not have access to, thereby compromising confidentiality and integrity of the site data. The flaw is a classic case of CWE‑639, where improper access control lets a user retrieve objects for which they lack permission.

Affected Systems

The vulnerability affects the FiveStar WordPress theme provided by Mikado‑Themes, versions up to and including 1.7. The theme is commonly used as a frontend display template and is active on any WordPress installation that installs it.

Risk and Exploitability

The CVSS score is 5.4, indicating a moderate severity vulnerability. The EPSS score is below 1%, so the probability that it is currently being exploited is low, and the vulnerability has not been listed in the CISA KEV catalog. The likely attack path is via authenticated or unauthenticated web requests that reference internal objects or resources that the theme exposes. An attacker would need to supply a key or identifier that maps to protected data, and if the access control is not enforced correctly, the request would succeed.

Generated by OpenCVE AI on April 29, 2026 at 14:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FiveStar theme to the latest release (or to 1.8 or newer if available)
  • Restrict access to the theme’s administrative screens using role‑based permissions to prevent unauthenticated or unauthorized manipulation of vulnerable parameters
  • If an upgrade is not immediately possible, deactivate the theme or remove any exposed features that allow direct object references
  • Contact Mikado‑Themes support to obtain an official patch or guidance until a fixed version is released

Generated by OpenCVE AI on April 29, 2026 at 14:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Thu, 29 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Qodeinteractive
Qodeinteractive fivestar
CPEs cpe:2.3:a:qodeinteractive:fivestar:*:*:*:*:*:wordpress:*:*
Vendors & Products Qodeinteractive
Qodeinteractive fivestar

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes fivestar
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes fivestar
Wordpress
Wordpress wordpress

Tue, 30 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes FiveStar fivestar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FiveStar: from n/a through <= 1.7.
Title WordPress FiveStar theme <= 1.7 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References

Subscriptions

Mikado-themes Fivestar
Qodeinteractive Fivestar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:34.872Z

Reserved: 2025-12-29T11:18:35.618Z

Link: CVE-2025-69032

cve-icon Vulnrichment

Updated: 2026-01-05T12:51:16.411Z

cve-icon NVD

Status : Modified

Published: 2025-12-30T11:16:01.827

Modified: 2026-04-27T20:16:26.207

Link: CVE-2025-69032

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T15:00:13Z

Weaknesses