Description
Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.19.
Published: 2026-01-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

Missing authorization in the Theater for WordPress plugin allows a user with insufficient privileges to access functions reserved for administrators, exposing the site to unauthorized configuration changes or content manipulation.

Affected Systems

The Theater for WordPress plugin, version 0.19 and earlier, developed by Jeroen Schmit. This plugin is available for WordPress installations.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in CISA KEV. The attack vector is likely remote via the web interface, where an authenticated user or potentially a public user could invoke the plugin’s unchecked actions, enabling privilege escalation within the WordPress environment.

Generated by OpenCVE AI on April 27, 2026 at 21:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Theater for WordPress plugin to the latest release that addresses the missing authorization check.
  • If an upgrade is not currently available, remove or deactivate the plugin to eliminate the risk.
  • Enforce strict role‑based access controls for all plugin interfaces, ensuring only users with administrator privileges can perform privileged actions.

Generated by OpenCVE AI on April 27, 2026 at 21:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 07 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Jeroen Schmit
Jeroen Schmit theater For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Jeroen Schmit
Jeroen Schmit theater For Wordpress
Wordpress
Wordpress wordpress

Tue, 06 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Tue, 06 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.19.
Title WordPress Theater for WordPress plugin <= 0.19 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Jeroen Schmit Theater For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:53:28.628Z

Reserved: 2025-12-31T20:12:18.800Z

Link: CVE-2025-69331

cve-icon Vulnrichment

Updated: 2026-01-06T16:52:45.934Z

cve-icon NVD

Status : Deferred

Published: 2026-01-06T17:15:45.983

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69331

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:00:16Z

Weaknesses