Impact
A flaw in WordPress Genemy theme versions 1.6.6 and earlier allows a user who holds the subscriber role to elevate privileges, potentially granting administrator level access. This is a classic example of inadequate access control checks (CWE‑266), enabling an attacker to modify site content, settings, or fully compromise the site.
Affected Systems
WordPress installations using the Jthemes Genemy theme from the initial release up to and including 1.6.6 are affected. Any site that has not updated the theme beyond version 1.6.6 remains vulnerable.
Risk and Exploitability
The CVSS score of 8.8 signals a high‑severity vulnerability. EPSS data is currently unavailable, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be authenticated and local: an attacker must have an existing subscriber account, after which a crafted request can modify role assignments. Once the privilege‑escalation is triggered, the attacker can perform any action normally reserved for administrators.
OpenCVE Enrichment